5 Signs of a Phishing Email and How to Put a Stop to Phishing Attacks

Anatomy of a Phishing Email: 5 Signs of a Phishing Email

Phishing emails are designed to trick victims into believing they are real communications. However, these are actually fake communications with malicious content. Since the objective is to trick victims, threat actors generally strive to craft legitimate-looking emails. However, there are various degrees of sophistication to these emails and ways to identify them.

Here are common characteristics of phishing emails:

1. Sender’s Address

Phishing emails often attempt to impersonate legitimate brands, using real logos and other aids to craft believable emails. While threat actors can steal logos and even clone real emails fairly easily, creating a legitimate-looking sender’s address is more difficult. Threat actors use spoofing techniques to create fake, legitimate-looking sender addresses.

Here are common spoofing techniques:

• Email spoofing — The actor creates fake email addresses that look similar to the legitimate brand’s email address. They exploit the fact that the sender’s name is visible while the email address is often hidden, especially on mobile applications. For example, the visible alias might be “Amazon Cart” while the hidden email is “[email protected].”

• Cousin domain — The actor makes the sender’s address look identical to the legitimate brand’s email address but actually obfuscates it. The threat actor might add or subtract a letter from the legitimate email address or add an extension like .co or .global. For example, “[email protected].”

• Domain spoofing — The actor uses the legitimate domain as the sender’s address, such as arnaazon.com. Thanks to the sender policy framework (SPF) and domain keys identified email (DKIM), domain spoofing is declining. SPF and DKIM can identify unauthorized domain name usage and block emails with domain spoofing.

2. Subject Line and Tone

Phishing emails are like marketing emails in that they both try to prompt the user into action. The objective of a phishing email is to trick users into opening the email and then clicking on a malicious link or attachment that downloads malware, or clicking on a link that directs the user to input sensitive information, or reply to the email with financial information.

A phishing email archives its objective by impersonating legitimate brands and authoritative institutions like banks and credit card companies. The email’s subject line typically includes a subject line that piques the user’s interest or raises the alarm. It is crafted to lead the user to think not opening the email might disrupt work operations.

Here are common subject lines:

• New login detected

• Account suspended

• Suspicious activity detected

• Security alert

• Please update your information

3. Grammar and Spelling Errors

Not all phishing emails are as sophisticated as those crafted and sent by professional marketers working for legitimate brands. Marketing professionals typically use spell checkers or some other form of review before sending out emails, which is why their emails are free of spelling and grammatical errors. Phishing emails, on the other, may and often contain grammar and spelling errors.

4. Attachments

Phishing emails often include malicious attachments, which is why email filters typically scan for known phishing URLs in the body of the email. You can also use sandboxing to quarantine and investigate the email before delivering it to users.

However, threat actors have already figured out ways to get around these defenses — by burying the malicious URL inside the attachment, usually a PDF or Word doc. They craft the content of the email in a way that alerts the user it includes an invoice or an otherwise important document that requires their approval or review.

5. Links

Phishing emails often contain links that direct users to a web page impersonating a real brand. The URL is typically hidden behind anchor text that includes calls to action (CTA) such as “View here,” “Sign in,” “Click here,” “Update account settings,” or “Preview document.” Users can hover over the anchor text to reveal the phishing URL.

To avoid detection, threat actors often obfuscate phishing URLs using the following techniques:

• URL shorteners — Obfuscate URLs by creating abbreviated versions that shorten the link. Threat actors often use popular tools like Bit.ly and TinyURL, which are often used by marketers, to trick users that look for suspicious URLs and email filters that look for known signatures.

• URL redirects — Threat actors use “time-bombing,” a technique that enables them to use legitimate URLs within the email and create redirects to phishing web pages after the email has already bypassed scanners and has been successfully delivered.

• Text-based image obfuscation — This technique delivers an image-only email that serves as a link. The body of the email looks like text to the user, but it is actually a clickable image hosted on a website. It is a common technique in sextortion emails.

Scanners looking for malicious links often overlook these links if the email includes additional, legitimate links to real web pages. Research indicates that phishing emails that include legitimate links succeed in fooling users as well as filters, especially when the email includes several legitimate links. Links to helpful resources, like support email addresses, also increase the likelihood of users perceiving it as legitimate.

How to Stop Phishing Emails

Phishing attacks pose a serious threat to corporate cybersecurity because they are designed to exploit weaknesses of personnel, rather than vulnerabilities in software or infrastructure. The solution lies in making employees aware of the risk of phishing, and providing technology solutions that can help employees identify and prevent attacks:

• Security awareness training — Phishing emails are designed to trick employees into taking specific actions. To mitigate the threat, employees must be trained to recognize phishing attempts and respond appropriately. However, the organization must recognize that the average employee, even if trained, will not be able to recognize and prevent all phishing attacks.

• Email filtering — A software solution that can detect common phishing techniques such as malicious links, misleading email addresses similar to known addresses, and emails coming from known bad domains or IPs. Email filtering solutions can identify phishing emails based on these warning signals and prevent them from reaching the intended recipient's inbox.

• Scanning for malicious attachments — Malicious attachments are a common means of delivering malware via email. Organizations can detect and block the spread of this malware by scanning for malicious attachments and evaluating them in a sandbox environment.

• DLP Solutions — Some phishing attacks are designed to steal sensitive information from organizations through email. For example, attackers can ask the recipient to attach sensitive data and send it back. Data loss prevention (DLP) solutions help detect and stop these data leak events.

• Anti-phishing solutions — Dedicated anti-phishing solutions integrate many of these protections with other anti-phishing features, such as scanning the content of emails for language that suggests a phishing attack, and querying DNS and authentication protocols to identify attempts at forging email sender or source.