Cybersecurity can be an endless game of cat and mouse, and attackers are constantly looking for ways into your organization. While major Internet and software providers, including the open source community, are constantly improving security technology, a notable area of risk remains human: phishing. According to the 2021 Verizon Data Breach Investigations Report, phishing has remained among the top three most common components in data breaches since 2015 and reached the number one spot in 2019.

2020 DBIR Graphic

2020 DBIR Graphic

Based on  the phishing simulation and training engagements we perform here at Carve, as well as wider industry insights, we’ve identified four primary ways to identify a phish.

Tone and Context

Unlike other forms of hacking, phishing seeks to attack human vulnerabilities via emotions. The primary methods of achieving this are playing on a person’s curiosity, anxiety, and/or creating a sense of urgency.

Example phish with varying tone

Most phishing emails, like the examples above, also share the fact that they’re unsolicited. While there’s no way to completely shield yourself from unsolicited emails, legitimate or not, analyzing an email’s tone and context are good starting points in identifying a malicious email.

The Sender’s Information

For more concrete evidence of a phish, one of the first places you can look is in the sender’s email. Make sure the sender’s display name and email match. A few other things to ask yourself here are:

  1. Is this email from someone you know?
  2. Look closely. Do you recognize the sender’s email address, or is it a lookalike of a well-known site? 

Content

The next set of red flags can be found in the content of the email. Often, when attackers want to deploy a phish, they’ll cast their net wide, sending the same templated email out to multiple people to maximize their chances of success. This results in emails that are, more often than not, generically addressed (e.g. “Hello valued customer,” “Dear Sir/Madam,” “Hi,” etc.) and/or grammatically incorrect.

Usage of generic greetings with typos and grammatical issues

Do note – this isn’t a conclusive indicator of a phish, but it should raise your suspicions as to the authenticity of the email.

Links and attachments

Links and attachments are among the primary exploitation mechanisms of a phish, which attackers can use to disguise malicious code designed to exploit your systems, harvest your credentials, and more. Should you find yourself looking at a suspicious link, you can view the underlying link by doing things like right-clicking and inspecting the Hypertext Reference (href) URL, or on mobile, long-pressing the link to see the URL in full. When in doubt, you can always ask your IT department as well.

Take, for example, the following email I received recently:

Example suspicious email

As we previously covered, the sender’s address should immediately draw attention as it certainly isn’t Geico. On a web browser, if we right-click the link (1.) and navigate to Inspect (2.), we can see the underlying href (3.) which confirms our suspicions that this link isn’t what it seems.

Inspection of a suspicious link

On mobile devices, you can achieve the same effect by long-pressing the link to see a full preview, as shown below. But, if you find yourself already suspicious of an email, it is best to leave it alone altogether.

Inspection of a suspicious link on mobile devices

Malicious attachments, on the other hand, can take the form of several different kinds of attachments, ranging from the more suspicious .exe files to the seemingly harmless .pdf and even .png. Generally, it’s best to stop and make sure the file is something you’re expecting before touching it.

Tying it all together

While checking for these indicators is by no means a foolproof method of identifying every phish, it will help build you a baseline awareness of phishing for yourself and your organization. Keep in mind, we’re all human and we make mistakes. If you happen to fall for a phish, the best thing you can do at that point is immediately notify your IT department. In summary, check out the table below:

Potential Phishing IndicatorsQuick Tips
Email Tone and Context– Be cautious if an email creates a sense of urgency/panic
– Curiosity alone is dangerous.
– Proceed carefully for unsolicited messages
——————————-————————————————————
Sender Information– Check the sender name and address carefully
– Is it someone you know?
– When in doubt, directly contact the sender/department
——————————-————————————————————
Email Content– Watch for excessive grammar/spelling issues
– Generically addressed emails are also cause for concern
——————————-————————————————————
Links and Attachments– Always check a link’s full URL before clicking it
– Right-click and inspect, or long-press a link to preview
– Report the email to IT for further investigation

This is part one of a blog series meant to teach you as an individual how to protect yourself and your organization from phishing attacks. Stay tuned for part two, and if you have any questions or would like to take your organization’s phishing security further, please reach out to us at: info@carvesystems.com.