Detecting phishing emails can be very difficult as attackers find more and more creative ways to conceal them.
What is phishing?
Phishing is when an attacker sends an email that appears to be legitimate to a user but it isn’t. The purpose of the email is to get the user to perform an action they normally wouldn’t do such as installing malicious software or clicking on a link. Attackers use phishing emails to get users to enter in personal information on fake websites that are made to look identical to legitimate banking or credit card sites. The user would enter their username and password into the site and be redirected to the real bank site afterward. Now the attacker has collected that user’s bank login information.
Another reason attackers use phishing emails is to get the user to click on an attachment such as a PDF or Microsoft Word Document. The document is actually infected with malware that would give the attacker remote access to the user’s computer.
Detecting phishing emails can be difficult because most of them prey on our fears or curiosity. Email can seem to be from UPS updating the user on the status of a delivery or from a bank updating on a large withdrawal from the person’s account. These emails are sent out to hundreds of thousands of people at the same time so the likelihood that a few have a package being delivered at that time or a bank with the bank in the email, is quite high.
Another common tactic is around tax season to make the emails appear to come from the Internal Revenue Service (IRS). It may threaten that an impending levy is coming if the user doesn’t act now. The IRS NEVER emails taxpayers. They will send paper letters.
Examples of phishing emails
Here are some examples of phishing emails I have received. Some are very good and take a bit of time to detect. However, others are very poor attempts by an attacker to gain access to a system. There are 4 examples below that illustrate the psychology of the attacks. 2 emails pretend to be from UPS (United Parcel Service), one is from Bank of America, and the last is from JP Morgan Chase bank.
Let’s get started.
Bank of American Business (their spelling)
This email pretends to be from Bank of America. However, they misspell it to be Bankofamerican Business. That is the first red flag. The email references a piece of remittance advice that is included as an attachment. The attachment is a PDF file. However, the file is infected. Upon clicking it, the computer would become infected with malware.
The second red flag is the from address for the email. The label says Bankofamerican Business but the actual address is firstname.lastname@example.org – not a valid Bank of America address.
The email tries to assure you that they never ask for personal information via email.
UPS Phishing Email 1
This email pretends to be from UPS Quantum View. This is the correct name for UPS’ tracking system. But notice that the actual email address is email@example.com – this isn’t UPS. The email is trying to scare the user that their package has been delayed. If you were expecting a package at that time, you would open the attachment without thinking too much about it. The email also indicates the package is from Amazon. This is a likely source for many people for packages.
This email also contains an attachment to get the user to open. This Microsoft Word document contains the infected payload.
UPS phishing email #2
This is the second UPS email. It also has a bogus from address firstname.lastname@example.org) but the reason I included it is that it doesn’t use an attachment. This email has a malicious link in it. It is the shipment number (usually referred to as the tracking number). Clicking on this number takes the user to a bogus site that attempts to harvest user information. The weight is also listed in kilograms, which in the United States, would be abnormal. If you’re in the US and see this, that is another red flag.
JP Morgan Chase
Our final example is from JP Morgan Chase bank. This one preys on your fear that a wire transfer in the amount of $2,750.78 has been withdrawn from your account. It was sent to Joseph Miller. This is a small enough amount not to be considered outlandish. That way, most people will likely freak out and assume this is some mistake and click the supplied link. Like the UPS email above, this email link goes to a bogus site that will attempt to capture personal information from the user.
The email’s return address is email@example.com – this is not a valid JP Morgan email address.
These examples show how phishing can look to a victim. These are pretty easy to understand and detecting them as phishing, not difficult. However, some phishing emails come looking nearly identical to the real thing. How are users supposed to know the difference?
Thankfully, Google is here to help.
Google creates a quiz to help in detecting phishing emails
Google has created a very helpful quiz that you can use to test your own skills at detecting phishing emails. It is free and can be used over and over. It’s a good idea to have everyone on your staff go through it so that they can learn just how difficult it can be in detecting phishing emails.
The quiz is available here – Google Phishing Quiz
Go through the quiz and see how you do. It is a good tool to use to sharpen your detecting phishing email skills.