This post was most recently updated on September 13th, 2022
In todays’ digital world, email has become the most common way of communication for everyone, from small businesses to large companies. While it is a very convenient way to communicate and send important information to customers or staff members, there are many risks associated with it. One of the most common online threats faced by email users all over the world is phishing. Phishing is a kind of social attack, mostly done through emails. In this, the attackers disguise themselves as someone that you trust and might open a link sent from. These entities might include friends, the CEO of a company, the bank or any other person who you might completely trust. After disguising themselves, they start sending you emails with malicious links with a call to action.
For example an attacker might disguise themselves as a trusting member like the head of security and ask employees to click on any link to reset their password or something else. Anything that might give them the opportunity to steal sensitive information from you.
According to recent reports from various sources, security heads have seen a whopping 25% increase in the number of successful phishing emails. Even after several security measures, many of these malicious emails end up in users’ inboxes. And it is surprisingly easy to create phishing emails. “All an attacker has to do is clone the source code behind a webpage, and redirect you to that page. They can then steal any credentials you put in there”, says Rajvardhan Oak, an expert in cybersecurity and a researcher at UC Berkeley. Oak has developed a toolkit that can be used by organisations to conduct phishing training free of cost. Earlier last month, he presented a tutorial on using this toolkit at the NSF Cybersecurity Summit held in San Diego. He discussed in detail the anatomy of a phishing attack, strategies used by attackers, and how to spot them.
No matter how much the security levels are increased, these emails along with other spam emails will always find a way to users’ inboxes. Therefore, there is only one way to stop such attacks is by spreading awareness about phishing among the general public. Companies handling sensitive data stay at the highest risk of attacks through phishing. They should make sure that all of their associated users and staff members are familiar with identifying these attacks and report them. Periodic training of employees with phishing campaigns run by their company might help them to better recognise attacks and increase awareness. These training sessions are necessary to make sure that they don’t fall prey to phishing attacks, saving them from the risk of identity theft and data loss.
So how do you recognize a phishing email? “Pay close attention to the email address; oftentimes it will come from a personal email and not an official email address” says Oak. “Additionally, some words may be intentionally misspelt to avoid detection”.
As a leading researcher in cyber security, he has studied phishing and machine learning based evasion techniques closely. His recent work published at the CCS conference also talks about how simple it is for even non-tech-wizards to evade hate speech detection. “The same principles still apply for evading phishing emails; adversarial perturbations can throw off email classifiers”, Oak adds.
Types of phishing attacks you should be aware of
Phishing has developed into many sophisticated tactics. This attack is constantly evolving as digital technology advances, and continues to find new vulnerabilities.
Here are some of the most widespread phishing attacks:
Email Phishing: This is the most well-known form of phishing. It attempts to steal sensitive data via email appearing to come from a legitimate company.
Malware Phishing: This attack uses the same techniques used in email phishing and encourages victims to click a link or download an attachment so that malware can be installed.
Spear Phishing: While most phishing attacks are broad-based, spear phishing is highly targeted and well-researched. It focuses on business executives and other high-paying targets.
Phishing SMS: Enabled phishing sends malicious short links via SMS to smartphone users. These are often disguised under account notices, prize notifications, and political messages.
Along with these, there are many more phishing tactics that have been causing major problems worldwide, such as vishing, pharming (also known as DNS poisoning), clone phishing, BEC (business email compromise) and many more.
Ways to detect phishing
1. An address ending in ‘@gmail.com’ will not be used by legitimate organisations to send email. Except for small businesses, most organisations will have their own email domains and company accounts. Google’s legitimate email addresses will include the following: “@google.com”
The message is likely to be legitimate if the domain name (the bit following the @ symbol), matches the sender.
2. Another clue is hidden in domain names. This clue provides a strong indicator of phishing scams. Unfortunately, it complicates our previous clue.
Problem is, anyone can purchase a domain name through a registrar. Even though every domain name must be unique there are many ways to create addresses that can’t be distinguished from the one being spoofed.
3. Poor spelling and grammar are often indicators of an email scam. Many will tell you that these errors are part a “filtering system” in which cybercriminals target only the most stupid.
It is believed that if someone doesn’t pay attention to the message’s format, they are less likely to be able to detect clues in the scammer’s scheme.
4. Scammers know that many of us procrastinate. We get an email with important information and decide to deal with it later. The more you think about something, however, the more likely it is that you will notice things that aren’t right.
Perhaps you realise that the organisation doesn’t reach you at that email address or that a colleague didn’t send you any documents.
“Many scams ask you to act quickly or it will be too late. This is evident in all of the examples we have seen; a sense of urgency or extreme emergency. So tread lightly when an email or text message conveys an extreme urgency – always speak to the other person and confirm who they are.” Oak advises. So be careful what you click – and don’t get phished!