5 Signs of a Phishing Email and How to Put a Stop to Phishing Attacks
What is a Phishing Email?
Phishing emails are a form of social engineering attack, typically used to steal personal information such as passwords and credit card numbers, or coerce a victim into performing an action that benefits the attacker. These emails appear to come from a trusted company or sender, but they actually originate from cybercriminals.
Phishing is when an attacker imitates a trusted person or brand to steal sensitive information or gain a foothold in a company's network. It is a severe cyber threat used in a majority of cyber attacks against organizations. Phishing emails are a common form of phishing, but these attacks can also be carried out through text messages, social media, phone calls, or other means.
In most cases, the objective of an attacker who sends phishing emails is to get recipients to click a link or open an email attachment that deploys malware. Phishing links often redirect to a fake login page that looks like a legitimate website. When a victim enters their real login information, the attacker receives a copy of those credentials.
When attackers use infected email attachments, those attachments install the malware directly on the user’s device. Malware can silently collect data and keystrokes and send this information to the attacker. This allows the attacker to gain a persistent hold on a device, and if it belongs to a corporate network, can allow them to connect to other corporate systems and carry out additional attacks.
Anatomy of a Phishing Email: 5 Signs of a Phishing Email
Phishing emails are designed to trick victims into believing they are real communications. However, these are actually fake communications with malicious content. Since the objective is to trick victims, threat actors generally strive to craft legitimate-looking emails. However, there are various degrees of sophistication to these emails and ways to identify them.
Here are common characteristics of phishing emails:
1. Sender’s Address
Phishing emails often attempt to impersonate legitimate brands, using real logos and other aids to craft believable emails. While threat actors can steal logos and even clone real emails fairly easily, creating a legitimate-looking sender’s address is more difficult. Threat actors use spoofing techniques to create fake, legitimate-looking sender addresses.
Here are common spoofing techniques:
Email spoofing — The actor creates fake email addresses that look similar to the legitimate brand’s email address. They exploit the fact that the sender’s name is visible while the email address is often hidden, especially on mobile applications. For example, the visible alias might be “Amazon Cart” while the hidden email is “[email protected].”
Cousin domain — The actor makes the sender’s address look identical to the legitimate brand’s email address but actually obfuscates it. The threat actor might add or subtract a letter from the legitimate email address or add an extension like .co or .global. For example, “[email protected].”
Domain spoofing — The actor uses the legitimate domain as the sender’s address, such as arnaazon.com. Thanks to the sender policy framework (SPF) and domain keys identified email (DKIM), domain spoofing is declining. SPF and DKIM can identify unauthorized domain name usage and block emails with domain spoofing.
2. Subject Line and Tone
Phishing emails are like marketing emails in that they both try to prompt the user into action. The objective of a phishing email is to trick users into opening the email and then clicking on a malicious link or attachment that downloads malware, or clicking on a link that directs the user to input sensitive information, or reply to the email with financial information.
A phishing email archives its objective by impersonating legitimate brands and authoritative institutions like banks and credit card companies. The email’s subject line typically includes a subject line that piques the user’s interest or raises the alarm. It is crafted to lead the user to think not opening the email might disrupt work operations.
Here are common subject lines:
New login detected
Suspicious activity detected
Please update your information
3. Grammar and Spelling Errors
Not all phishing emails are as sophisticated as those crafted and sent by professional marketers working for legitimate brands. Marketing professionals typically use spell checkers or some other form of review before sending out emails, which is why their emails are free of spelling and grammatical errors. Phishing emails, on the other, may and often contain grammar and spelling errors.
Phishing emails often include malicious attachments, which is why email filters typically scan for known phishing URLs in the body of the email. You can also use sandboxing to quarantine and investigate the email before delivering it to users.
However, threat actors have already figured out ways to get around these defenses — by burying the malicious URL inside the attachment, usually a PDF or Word doc. They craft the content of the email in a way that alerts the user it includes an invoice or an otherwise important document that requires their approval or review.
Phishing emails often contain links that direct users to a web page impersonating a real brand. The URL is typically hidden behind anchor text that includes calls to action (CTA) such as “View here,” “Sign in,” “Click here,” “Update account settings,” or “Preview document.” Users can hover over the anchor text to reveal the phishing URL.
To avoid detection, threat actors often obfuscate phishing URLs using the following techniques:
URL shorteners — Obfuscate URLs by creating abbreviated versions that shorten the link. Threat actors often use popular tools like Bit.ly and TinyURL, which are often used by marketers, to trick users that look for suspicious URLs and email filters that look for known signatures.
URL redirects — Threat actors use “time-bombing,” a technique that enables them to use legitimate URLs within the email and create redirects to phishing web pages after the email has already bypassed scanners and has been successfully delivered.
Text-based image obfuscation — This technique delivers an image-only email that serves as a link. The body of the email looks like text to the user, but it is actually a clickable image hosted on a website. It is a common technique in sextortion emails.
Scanners looking for malicious links often overlook these links if the email includes additional, legitimate links to real web pages. Research indicates that phishing emails that include legitimate links succeed in fooling users as well as filters, especially when the email includes several legitimate links. Links to helpful resources, like support email addresses, also increase the likelihood of users perceiving it as legitimate.
How to Stop Phishing Emails
Phishing attacks pose a serious threat to corporate cybersecurity because they are designed to exploit weaknesses of personnel, rather than vulnerabilities in software or infrastructure. The solution lies in making employees aware of the risk of phishing, and providing technology solutions that can help employees identify and prevent attacks:
Security awareness training — Phishing emails are designed to trick employees into taking specific actions. To mitigate the threat, employees must be trained to recognize phishing attempts and respond appropriately. However, the organization must recognize that the average employee, even if trained, will not be able to recognize and prevent all phishing attacks.
Email filtering — A software solution that can detect common phishing techniques such as malicious links, misleading email addresses similar to known addresses, and emails coming from known bad domains or IPs. Email filtering solutions can identify phishing emails based on these warning signals and prevent them from reaching the intended recipient's inbox.
Scanning for malicious attachments — Malicious attachments are a common means of delivering malware via email. Organizations can detect and block the spread of this malware by scanning for malicious attachments and evaluating them in a sandbox environment.
DLP Solutions — Some phishing attacks are designed to steal sensitive information from organizations through email. For example, attackers can ask the recipient to attach sensitive data and send it back. Data loss prevention (DLP) solutions help detect and stop these data leak events.
Anti-phishing solutions — Dedicated anti-phishing solutions integrate many of these protections with other anti-phishing features, such as scanning the content of emails for language that suggests a phishing attack, and querying DNS and authentication protocols to identify attempts at forging email sender or source.