Email Phishing
Email phishing is a common cyber attack designed to trick individuals into disclosing personal information or transferring money to the perpetrator. Cybercriminals use social engineering to camouflage the spam email as legit. These social engineering techniques to generate panic, fear, and prompt the user to take action.
Types of email phishing:
- Traditional Phishing—A general phishing technique not targeted at a specific individual or organization
- Spear Phishing—Phishing directed at specific individuals, positions, or organizations
- Whaling—A specific kind of spear phishing that targets high-profile subjects, such as executives, government officials, etc.
- CEO Fraud—A cybercriminal will act as a CEO or authority figure of a business to gather confidential information or payments from employees
- Pharming—Uses domain naming system (DNS) to modify or tamper with a host’s website URL to redirect individuals to a fake site
- Content-Injection Phishing—Malicious code is inserted into a website that guides users to enter confidential information, which is then received by the perpetrator
- Man-in-the-Middle-Phishing—Phishing that involves cybercriminals extracting information as it is entered into a website
How to Spot a Phishing Email:
Links
To create a link within an email, the sender has to create a link. It is possible to link any group of words to a website. Cybercriminals use this tactic to send individuals to links that appear legitimate but are actually different than the text of the link.
Things to look for:
- Shortened, unfamiliar, or odd URLs
- URLs containing a slightly changed domain name
- Example: rightname.com vs. rlghtname.com (notice the “L” in place of the “I”)
- Double check to make sure a link leads to the appearing destination
- Before clicking on a link or image in an email, hover over the URL with your cursor to see if the actual URL matches up with the showing URL
- To check for link destination, you can also copy the link and paste it somewhere else to see if it matches the appearing link.
Spelling & Grammar
If an email has blatant spelling or grammatical errors, it could be a phishing email. Professional companies and organizations have writing and editing staff that prevent mass emails from being sent out with clear mistakes.
Things to look for:
- The email doesn’t make complete sense
- Capitalization errors
- Misspelled words
- Bad grammar
Formatting
If an email is from a reputable company, the email will more than likely contain graphics, a logo, a personal greeting, a digital signature, and in an easy-to-read format. Cybercriminals often imitate popular companies to gain user’s trust.
Things to look for:
- Off or incorrect logos
- Fuzzy pictures or graphics
- A generic or informal greeting
- Lack of a digital signature and/or contact information
Sender Information
One quick way to recognize a phishing mail is by evaluating the sender name and email.
Things to look for:
- An unrecognized sender name
- An unofficial or unrecognized email address
- The sender email address doesn’t match up with the company → reputable companies do not use Gmail, AOL, Yahoo, etc. An email from a legitimate company will have an email address containing the company name: ____@company.com
Threats or Urgent Messages
Cybercriminals use social engineering techniques like threats and urgent messages to initiate a quick response from individuals. One thing to note is that legitimate companies and organizations will never ask for confidential information over an email.
Things to look for:
- Threats that security has been compromised
- Requests to “click here”
- To verify information
- For a password update or check
- To enter personal information
- To claim a prize
- Urgent actions required
- “Or your account will be closed”
- “If you fail to respond…”
- Security alerts
- Urgent messages to claim prizes
- “You have won!”
- “Congratulations!”
Attachments
Cybercriminals will try to entice users to click on attachments in order to download malware. One type of malware that can be downloaded through attachments is ransomware, which you can read more about here.
Things to look for:
- Unfamiliar or unlabeled attachments
- A prompt to enable macros In order to view the attached document
Requests for Personal Information
Legitimate organizations will never ask for personal information over an email. Be wary of emails that request confidential information such as:
- Mother’s maiden name
- Credit card numbers
- Bank account information
- Date of birth
- Social security number
- Login Credentials
Phishing email examples from UC Berkeley:
Simply wanna say that this is very helpful, Thanks for taking your time to write this.
I think this is one of the most vital information for me.
And i am glad reading your article. But wanna remark on some general things, The website style
is great, the articles is really excellent : D. Good job, cheers
Hi there! I simply would like to give you a big thumbs up for your great
information you have here on this post. I’ll be returning to your
blog for more soon.
It’s difficult to find experienced people on this subject, but
you seem like you know what you’re talking about! Thanks