Most people and small business have little along the way of phishing countermeasures. They must rely on wit and whatever meager technology their ISP or email hosting provider provides. What separates targets from victims is often recognizing the difference between a real and a scam email.
Clues like content, metadata, and domain names, combined with a few tools and techniques can help anyone get better at separating good from bad emails. A little practice will develop a scammer intuition and aid in recognizing and evaluating for these phishing techniques.
- Malicious Attachments
- Malicious Links
- Look-Alike Domains
- Real Domains
- Phycological “motivation”
Awareness of phishing techniques and how phishing emails are crafted and weaponized will add an additional protective layer of defense. [There is a list of all the tools at the bottom of this article]
Detecting a Phishing Email
Detecting a phishing email is more or less picking up on the features all phishing emails have in common and the techniques used to get targets to interact with the email.
The red flags discussed in this article are clues and indicators something may be wrong. There is a difference between unwanted spam selling the next great skin cream and a phishing email meant to steal money but disguised as a sweet free vacation or enticing company salary spreadsheet.
A red flag should raise your alert level and motivate investigation, not paranoia.
Phishing Objectives
A phishing attack is a combination of phycological, and technical techniques aimed at getting the target to unwittingly perform an action or engage with the malicious content. The two primary objectives of any phishing campaign are one or both of the following:
- Some form of direct monetary fraud such as a wire transfer to an ostensibly legitimate bank account
- Initial foothold on the target company’s network after which the attacker will expand their access to meet mission objectives
Just like strong malware detection can still miss destructive malware, strong phishing countermeasures can still miss phishing emails bearing seeds of destruction. Knowing no single layer of defensive can thwart all attacks (not that all layers can either) a strategy of defense-in-depth helps reduce the risk of a catastrophic phishing attacks.
Phishing Email Components
When a phishing email slips through the preventative measures, people having a solid understanding of the red flags is a critical 2nd layer of defense. Hackers and scammers only have so many components to work with when constructing a phishing email and therein lies the clues indicating an email is phishing.
- Metadata: This is the information on the “outside of the envelope”: To, From, Subject, etc. A hacker can manipulate some but not most of it.
- Content: Blanks emails achieve nothing so scammer must create email text that convinces the target the email is important and worth considering.
- Sending Domain(s): Every email has a sending domain. It’s unavoidable, so the scammer has to make them look as legit as possible.
- Call to Action: This is the request to “go ahead and get that coupon” or click that link, download that file, send that money, etc. The Content and the Sending Domains work together to generate enough confidence and/or motivation in the target to doing something.
Emails don’t exist without the first three components, but no phishing email can exist without their manipulation, and the inclusion of a Call to Action (99.99% of the time). It’s this manipulation and the Call to Action element that leave detectable clues.
There are a variety of techniques used within each component of the email ranging from the fear-of-missing-out to misspelled domains. When people catch on to one technique or another the scammer can swap them out for something different however, they can’t abandon or replace those 4 components.
Phishing Techniques to Watch Out For
When targeting a business The current common phishing techniques to keep an eye out for are:
- Malicious Attachments
- Malicious Links
- Look-Alike Domains
- Real Domains
- Phycological “motivation”
Response Note: For businesses there is a common response to apply to every potential phishing email (so no mention of it again):
- Forward the suspected email to the company’s fraud/scam/phishing email box. If the company does not have such an email box, compel them to make one. This email box is a way for the “manager” of that box to gain internal intelligence on phishing campaigns against the business and then share that intelligence with all the employees. An early warning and verification system of sorts.
- Do not respond to the email, it only validates someone is on the other end.
- Do not forward the email to other employee’s inbox (or other personal inboxes)
Malicious Attachments
Malicious attachments come in many forms such word documents and excel spreadsheets with evil macros, PDFs with impeded evil code, HTML applications, or anything else an attacker can stuff with code intent on theft.
When opened or downloaded, the files generally run some code in the background either downloading additional malicious files (multi-stage malware), and/or spidering the computer for valuable data (passwords files, financial information, etc.).
The reasons range from stealing some CPU time for mining bitcoin to gathering unwitting targets into a botnet, to old fashioned robbery of the person or business.
These files look innocent enough and the motivation to download and open created by the attackers’ rhetorical skills and physiological know-how should not get understated.
Red Flag: It’s a red flag if you don’t know and trust the sender and there is an attachment with a request to download or open the file. And don’t fall for familiarity tricks where the sender pretends to know you from a conference or some other previous meeting.
Investigation: If you don’t care, just delete the email. If you want to go a step further (maybe you do trust the sender to some degree or because you are curious) then examine the file for malicious code with one or more of the online file scanners available.
Malicious Links
Malicious links are similar to attachments but instead of immediately trying to run some malicious code on the target computer, the link takes the victim to a server or website under the hacker’s control or to a known vulnerable website, and then the remaining stages of the attack are executed.
Buttons are also links.
Red Flags: Alone, any one of these flags is minor but combined they become more serious.
- Any link in the email combined with phycological tactics to motivate action.
- URL shortener links. See Note on URL Shorteners below.
- Link going to a domain with a poor reputation.
- URL with redirects. See Note on URL Redirects below
- Link that obviously downloads a file.
Investigation: Here are multiple potential responses, but the primary principle here is to never trust a like.
- A quick, non-clicky, investigation of the URL is to hover the mouse pointer over the link for a visual inspection of the link destination.
- Scan the link. Just like with file scanners there are also URL scanners checking for malicious content.
- If the sender is known, ask them via another form of communication if they sent it and what was sent.
- Check the domain reputation of the link
Note on URL Shorteners: Some links are created with URL shorteners to reduce the number of characters in the link. These are not always bad, but they do mask the intended target. For example, a URL shorter can change https://cloakncyber.com/are-mssps-worth-the-cost/ to this https://bit.ly/3vrZeSX (nothing wrong there) OR something more ominous like changing an evil link that downloads a file via a URL containing a cross-site scripting attack
https://site-vulnerable-to-XSS.com/index.php%3Fname%3D%3Cscript%3Ewindow.onload%20%3D%20function%28%29%20%7Bvar%20link%3Ddocument.getElementsByTagName%28%22a%22%29%3Blink%5B0%5D.href%3D%22http%3A%2F%2Fnot-real-xssattackexamples.com%2F%22%3B%7D%3C%2Fscript%3E
to a shorter URL where the “hover mouse over link” technique won’t work.
https://bit.ly/3Mbuz24Note on URL Redirects: Redirects happen all the time. Redirects aren’t bad in and of themselves, however that do get used to bring a target from one place to another. For instance, the URL can go to a website’s page that is harmless expect for the small bit of attacker injected code that redirects the target to a domain more under the attacker’s control.
There are tools available to trace these redirects before the link gets clicked and see where you’d end up.
Look-alike Domain
All emails need a sending and receiving domain – the part to the right of the “@” symbol in an email (bob@company.com). Attackers will purchase various types of phony domains that look almost indistinguishable from the company’s domain but use hard to detect misspellings:
- Extra letters: pp, ll, etc.
- Replacement letters: Zero “0” in place of capital “O”: G00GLE.COM. Uppercase “I” in place of lowercase “L”: googIe.com. Or any other Number/letter swap out the makes visual sense.
- “Invalid” Letters: Cyrillic letters that look like English letters. They look the same to humans but are not “coded” the same. This is also called an IDN Homograph Attack.
The attacker will then build email servers (and possibly websites) or other attack servers associated to the alternative domain. Then emails are sent from that domain and often with links to that domain that appear legitimate.
Look-alike domain example: Company domain is email@bankoftheunitedstates.com and phony domain is email@bankoftheuniitedstates.com (notice the extra “i”?). The attacker sends emails to targets with the look alike email domain as it@bankoftheuniitedstates.com instructing them to “download this file” or “follow this link”.
Other types of look-alike domains are the same “domain” but a different TLD. The attacker purchases company.net/org/biz in place of company.com and then performs the same kind of “trust” attack as the other types of look-alike domain phishing emails.
Getting domains like this is a form of domain squatting and there are premium services monitoring for this activity, but that won’t do anyone any good with the email already in the inbox.
Red Flag: Getting an email with a misspelled domain in the from: line and masquerading as the real Mcoy is a major red flag. Detecting this element in the phishing email is a matter of attention to detail, but even still, the email will have an attachment or link (or some other call to action) trying to get the reader to do something. In the case of the file and URL, there are the scanner already mentioned.
Investigation: Double check domain spellings and investigate any links using methods and tools motioned above.
Real Domain
These domains are not fake alternative look-alike domains trying to fool the target into thinking they are interacting with someone from their own company. These domains are real, are under total control of the attacker, and often with real websites and false personas to back them up.
A prime example, and one similar to phishing campaigns that ran through the pandemic, is a domain like stopcovid.com. The domain is built up like any other legitimate domain (for example with SPF, DKIM, DMARC) to create an air of authenticity. Then phishing emails are sent out enticing targets to open a file, click a donate button, or just to go to the website (the website has the call to action).
Attackers often go to great lengths to build real email and good-enough looking sites to pass initial inspections.
Red Flag: Given the attachment and link red flags already mentioned, a little more investigation needs to happen to find any red flags.
Investigation: Search for reviews of the website, especially if the site asks for money in the form of charitable donations. Use the Wayback Machine (an internet archive of sorts) to see how long the domain has been around and if anything, phishy stands out.
When in doubt… ignore.
Phycological Motivation
A phishing email will attempt to use all sorts of phycological tricks to get someone to interact with the content. There is a call to action so well-crafted the target can’t help but do something. The bag of tricks is massive but a few with tremendous ability to motivate people to act are:
- Fear of authority: the play is to convince the target the sender of the email can do them some kind of harm (usually reputational or career, but sometimes physical) if they don’t engage.
- Law of reciprocation: the play is to convince the target they just received something of value and then let the target “decide on their own” to engage.
- Fear of missing out: the play is to convince the target if they don’t engage, they will miss out on an amazing deal or opportunity.
- Desire to help: the play is appeal to most people’s innate desire to help, so pleading, and well-spun sob stories abound in an effort to get the target to engage.
- Plain old curiosity: the play is some people just can’t help themselves if a mystery is before them. This is similar to FOMO, but sometimes people just want to know more, so the attacker gives just enough bread to make them hungry enough to engage.
Red Flag(s): One or more of these tricks present in an email is a red flag. The severity of the “redness” goes up when these tricks exist in an email that has presented other red flags from other techniques.
Investigation: There is not much to add here beyond what’s already said. If the sender is playing as someone the target knows, the only real course of investigative action is to contact the real person over an alternative form of communication and sort things out.
Conclusion
More red flags raise the chance of the email is a phishing email. Of course, nothing is foolproof. Even if someone has these down cold, opening an email in the middle of a bad day can bypass anyone’s intuition and training.
Phishing is no joke. It’s shuddered the doors of many a small business who didn’t take the threat seriously enough. Having a better feel for how phishing works and how they read turns victim into a capable defender.
Scanners and Tools
File Scanner: Check out Virus Total file, URL, and a domain scanner Virus Total File Scanner.
URL Scanner: Check out Is It Hacked and Online Link Scan.
Domain Reputation Checker: Try IP Void domain rep checker and Talos.
URL Redirect Tracer: Try Where it Goes