Over the last forty-eight hours I’ve had to deal with the fallout from a phishing scam, after users on our network were convinced by a fake email to give away their account username and password. Whatever most IT staff think, the people who fall for these scams aren’t stupid. They are often in a hurry, unaware of the risks they face, and the impact of getting it wrong. So rather than harangue those unfortunate users who fall for these scams, I decided to try to help them spot phishing attacks, using a real world example.
Who is it from?
The first thing you should look at is the ‘From:’ address. You can’t always trust a ‘From:’ address, it’s like the return address on an envelope, people can write what they want there and there’s no way to know it’s real. However, the fraudster has to put something in here, and unless it’s an address you recognise, assume it’s suspicious. Even if the email comes from address you know, ask yourself “Would I expect to receive an email about my user account from this person?” In this case, the email was from the Minnesota Judicial Branch, not someone I’d expect to be contacting me about my account as I work in a different country and sector.
Who is it to?
Any email from your IT department to you should be sent to a recognisable address, either your own individual address, or the address of an email group you are part of. Again, what you see in the ‘To:’ field isn’t always reliable, but it is another indicator. In this case, the recipient was firstname.lastname@example.org, nothing to do with the organisation I work for.
What is it about?
The subject line is the main ‘hook’ used to try to lure or intimidate people into clicking on the link in the email. They are trying to either trick you, or scare you, into believing you should follow any instructions in the body of the email. Look critically at this. Have you had emails like this before from your bank or your IT department about your account? If in doubt, contact the bank or IT Helpdesk and ask.
What do they say?
This is where the fraudsters, for all their technical skills, make mistakes which you can spot. In this case, there’s two things you should look for;
- Spelling and grammar errors. In the example above there are several odd capitalisations (Please Click Here to Validate your email). Look out for incorrect or unusual capitalisation of words, incorrect spelling of words, or phrases which indicate that the sender wasn’t writing in their first language.
- Lack of verifiable information in the email signature. The example above just signs off “System Administrator”. Is that how your IT department normally signs off their emails? Search your inbox or archives for the last couple of emails you had from IT. This is also a pointer for IT providers. Always ensure you put familiar, consistent and verifiable contact information in your emails so users know they are legitimate.
your IT department, email provider, bank should NEVER send you an email asking you to visit a website and verify, activate or reset your account
Just say ‘No’
Fundamentally, there is one thing which people often don’t realise; your IT department, email provide or bank should NEVER send you an email asking you to visit a website and verify, activate or reset your account. If a legitimate organisation wants to contact you about your account, they should ask you to visit their website, and the best bet is to use a bookmark to that site, or type the address of the website directly into the address bar of your web browser. If there’s anything suspicious about an email you’ve received, send it to your banks phishing reporting email address (most have one), or if it purports to be from your IT department about your user account, forward it to them and ask them to confirm if they sent it, or it’s false.
For more information to help you avoid phishing scams see the advice from the following (trusted) sources;