Steve McGregory
Ixia Senior Director, Application and Threat Intelligence
Blog

Email Phishing - How to Detect and Avoid Falling Victim

October 4, 2017 by Steve McGregory

Email phishing is the act of sending an email that attempts to fool the recipient into believing the email is from a trusted source in order to gain something from them. What's to gain? Credit card, username/password, or other sensitive information that can further their devious activities. They, the people who utilize phishing, have become very good at the practice and this makes detection and avoidance much more challenging. Below are some best practices to follow in order to detect and avoid getting hooked in an email phishing attack.

Every Email is Suspect

To start, we must begin with a posture where we suspect everything could be malicious. I try to avoid clicking links within an email. If it is something I'm interested in, I will go to the website through my browser without clicking a link in the email; otherwise I delete the email. The material in the email should also be accessible through their website. Also, the age-old adage "if it sounds too good to be true then it probably is too good to be true" is a trusty belief.

The Hover Technique

Links within the email should point to the company website that the email is being sent from to you. If an email is from Wells Fargo then I expect the links to also point to Wells Fargo. To inspect links you can move your mouse cursor over the link, hover over it but do not click, and in the status of through a pop-up you should see the URL being used within that link. For web browsers, the information is usually displayed in the status bar at bottom of your window. If the email is from Wells Fargo, then I'd expect something like "http://host.wellsfargo.com/...". Here's hover in action, the yellow highlighted part is where we inspect to know that the link is pointing to where we expect.

Hover Technique Screenshot

 

The most important part being the companyname.dot-com, the rest will be specific to where that link will take you on the Wells Fargo website. If you see something like "http://host.wellsfargo.trustme.ru/..." then that tells you the domain portion is not part of Wells Fargo; rather some website in Russia. It also could have been "http://host.wellsfargo.trustme.com/..." and it still is most likely not from Wells Fargo, since Wells Fargo hosts at "wellsfargo.com".

There's a limitation for this technique on tablets or mobile phones. You use your finger to click on a link, you cannot simply hover over the link. On a tablet, you must hold your finger down on the link until a popup displays asking what you would like to do with the link. Part of the pop-up will display the link information and this will help you determine the validity of the email and link.

Verify with the Sender

If you are a bit suspicious about an email, you should do everything you can to verify authenticity. If it is from a friend, then email or call them and ask if they sent you the email. This technique is not fool-proof as many times the persons account has been compromised and email filters could be deleting email before they see it. If you don't get an email response, you should call as they would benefit from knowing their account has been compromised.

Other Signs of Phishing

Often these emails will have visible issues, like spelling or grammatical errors. They will try to get you to provide sensitive information, and this is the best way to detect. At no time should anyone initiate a request to you asking for your login, credit card, social security, or other sensitive information. I cannot remember a time when a company or my friends asked me for such through an email, or a link I clicked after getting an email. Even when a friend is sharing a photo, or file with you, the sharing services do not request your login or create an account; they should provide you with read access without you submitting information.

I Got Hooked, What Should I Do?

First thing to do is remediate the problem, change your passwords, do what is needed to stop the abuse currently being done to you. Do not feel ashamed, it has happened to most of us and that includes me. To remediate, you will need to find out the scale of the compromise; have they stolen username/password, or credit card, or other information. Once you know what they have, go to the site and change that information or get a replacement credit card. If others can be impacted, such as an email phishing campaign that has sent emails as you to others; then you also need to warn all of your contacts to try and stop the spread. Report the event to the appropriate authorities, your bank, service provider, or your Antivirus vendor who may have missed the attack. Finally, look to see what kind of security defense you have in place and why it didn't help. If you don't have security defenses in place, now is a great time to start building up defenses and help you prevent this kind of event in the future.

What About "Unsubscribe" Links

Unless you are absolutely certain the email is coming from a reputable business, don't click. Add the email to your email reader Spam blocker, delete the email, and go on about your day. Many times, the "Unsubscribe" link will only result in you getting more Spam. What happens is by clicking the "Unsubscribe" link you have just validated that your email is alive and they can sell your email to more spammers. Wish it wasn't like this, but it is and knowing so will help you better in the long run. Knowledge is power...