7 Examples of Phishing and How to Identify Them

6 Examples of Phishing and How to Identify Them

What is Phishing

Social Engineering is when an attacker tricks a person into an action desired by the attacker.  A well known type of social engineering attack is phishing. Phishing is most commonly associated with email, but can also be done through text messages and  instant messages. During a phishing attack, the attacker uses one of these mediums to trick their victim into clicking on a malicious link, opening a malicious attachment, or providing sensitive information.  

 

Why Phishing

The goal of phishing varies from broad, shotgun attacks that widely distribute malware to targeted attacks that obtain specific information. Malicious links, attachments, and sites attempt to install malware that is meant to do some harm to you or your company.  Malware often aims to collection personal information, interrupt computer operation, or gain access to a computer/network. Attackers may also be looking for very specific information/actions – for example they may perform an attack that dupes a new home buyer into wire transferring funds on the day of closing in which they know the parties involved and the date/time of closing.

SlideShare Version

6 Examples of Phishing and How to Identify Them

1. The Lookalike

One common factor in most successful phishing emails is trust.  If an attacker can establish trust with the recipient, the likelihood that the recipient performs a desired action increases significantly.

Establishing trust is easy if the attacker can look like something the recipient already trusts.  For example – Amazon. Almost everyone knows Amazon and has an account, so it’s easy to establish trust quickly with an Amazon lookalike email and trick the recipient into providing their password or confirming their credit card information.  

Two Best Practices to Identify a Lookalike Phishing Email.

1. Check the actual sender to confirm the sender is who you expect it to be (in this case Amazon).
2. Hover over links in the email to confirm they are going where you expect.

Be aware that attackers are becoming more sophisticated and improving their craft.  While a link may be easy to spot as being fishy, it may be cleverly disguised. For example, by replacing the ‘o’ in Amazon with a zero (Amaz0n), or a similar character, a recipient may miss the slight change.

 

Simulate a Phishing Attack on Your Employees with a Free Trial of Wuvavi. No credit card required.

2. The Internal Request

Similar to the lookalike, The Internal phish relies on trust.  Internal does not describe the sender as phishing emails typically come from malicious attackers outside an organization.  Rather, internal describes the ‘character’ that the attacker is playing. By playing an IT Manager or HR Director, an attacker can quickly gain your trust and encourage dangerous behavior.  A common Internal email is a request to reset a password from the IT manager.

Two Best Practices to Identify The Internal Phishing Email

1. Raise employee awareness of the information security policy.  Employees should be aware that no one in the company will ever ask for their password.  The IT department will never require a password to resolve a support ticket.
2. Call the sender to confirm the email and its intent.  It’s likely that the company has an extension for each employee so you can quickly contact the sender to confirm that they sent a request for information.

3. Government Threats

Government threats rely on fear rather than trust.  Even if the victim is innocent, a call or email from the government increases a heart beat.  Passing a police officer while driving down the highway at the speed limit still causes a break tap, two checks of the speedometer, and 3 checks in the rearview mirror – an email from the FBI or IRS will do the same. This can be extremely effective by phone as described in this article about a franchise employee sending thousands of dollars in gift cards to pay for illegal activity by the owner. It’s also effective by email. A common attack has the attacker impersonating the IRS and requesting swift action by the recipient.

Fear/Trust can be increases when this attack is used during tax season.

Two Best Practices to Identify The Government Phishing Email

1. In addition to fear, attackers create a sense of urgency by establishing a timeline.  In the example below, the recipient cannot file their tax refund until they verify their information.  In the phone attack linked above, the attacker creates a sense of urgency by calling near closing time and threatened the victim by suggesting they would be charged if they did not comply the same evening.
2. Common sense is key.  Asking why the government would need this information, contact me via email, or request a gift card for payment can help put these scary situations into perspective, and make better decisions.  Cybersecurity awareness training helps employees to identify red flags and make better decisions.

4. Wire Transfer Fraud

Wire Transfer Fraud is increasing in the home buying process. It’s the perfect storm in which home buyers are excited, there are multiple parties involved, deadlines, and large amounts of money being transferred. Attackers rely on trust, fear, and time constraints to successfully implement these attacks.  

The attacker can easily create a free email account similar to the title company or mortgage lenders name, and request that the buyer make a wire transfer to a new account immediately, or risk a delay in closing.  

Sender: MortageLender@free-email.com

Receiver: Home Buyer

Message: Hello please the escrow just emailed me that you need to send the funds via wire, They dont want to accept check due to a check check issues they just had, You will need to go to your bank to send the wire tomorrow so they can receive the funds before the closing, Please get back to me now so i can send you the wire information.

Two Best Practices to Identify The Wire Fraud Phishing Email

1. Raise employee awareness of the information security policy.  Employees and buyers should be aware that no one in the company will ever use a free email account.  
2. Call the sender to confirm the email and wire transfer details.  Creating a manual two factor authentication process will ensure the email was sent by a trusted person and the account information is correct.  Note: Do not use the phone number provided in the email. Rather used a trusted phone number that’s already been used to connect with the sender.

 

5. The Spear Phishing Attack

Spear Phishing is another email that relies on trust.  As opposed to a normal phishing email that is sent to many, the spear phishing email is targeted to a specific individual.  Typically these attackers are looking to steal confidential information.

One common spear phishing targets the CFO.  Most CFO’s know that the CEO has a busy schedule, and may require funds to support their business travel.  An hacker can take advantage of the CEO/CFO relationship by impersonating the CEO and requesting a wire transfer for a reasonable sum  while he’s traveling out of the country. The CFO is likely to trust the request, and make the transfer.

Two Best Practices to Identify Spear Phishing Email

1. Raise cybersecurity awareness with the leadership team.  Training the leadership team to be aware of the increased risk and sophistication in attacks targeting their position will help them to identify these phishing emails.  
2. Call the sender to confirm the email and wire transfer details.  Creating a manual two factor authentication process will ensure the email was sent by a trusted person.

 

6. The Spoofing Attack

Spoofing is an attack in which the attacker impersonates a user or device for information or access to an account, network, etc..  Spoofing can be targeted – for example, wire fraud transfer attacks might use spoofing so that the buyer think malicious wire fraud request email is actually coming from a trusted source.  

Spoofing attacks can be used for much wider destruction.  For example, attackers targeted Gmail users with the goal of accessing the users entire email history.  Their code would then spread itself to all of their contacts.

The Gmail user would see a link to share a document.  When they clicked the link it would take them to an actual Google page asking to give permission to the attackers fake app.

Two Best Practices to Identify Spoofing Email

1. If you are not expecting something, do not open attachments, click links or share information.
2. Call the sender to confirm the email and wire transfer details.  Creating a manual two factor authentication process will ensure the email was sent by a trusted person.

7. The Sob Story

The Sob Story often prays on the elderly, and unsophisticated users.  It’s might be in the form of a Nigerian Prince moving his riches, or a sick widow on her deathbed.  In the example below I’ve highlighted the warning signs.  Again, most email users would recognize this right away, but elderly folks and unsophisticated users are more susceptible to believing the story.

The example below starts by saying she’s a widow, her husband was killed, and she’s on her deathbed to gain trust and sympathy from the target.  The criminal then says they have a large sum of money that they can share.

What happens from here?  If I had to guess, a response to this email would lead to multiple email exchanges over time in which the criminal tries to build a relationship with their victim.  The goal would be to increase trust and build a friendship.  Then all of a sudden the doctor would have a miraculous cure for their sickness, but she can’t access her money so she would need her new friend to send a few thousand…which she’s paid back when she gets out of the hospital.

Two Best Practices to Identify a Sob Story:

1. If an email is sharing intimate information that would not normally be shared to a stranger it’s a red flag.
2. If an email is coming from someone that you don’t know and from a place that you have no connections, it’s a red flag.

Identifying Phishing Emails

One of the biggest challenges of phishing emails, and social engineering in general is that technology doesn’t provide a perfect fix. The common denominator in all of these attacks are people. Attackers play on trust and fear to manipulate people to take actions that put them at risk. The risk goes beyond the individual. Employee actions leave organizations vulnerable too.  

There’s a common saying that employees are the biggest threat to information security. However, employees can be taught how to recognize phishing emails to keep personal, company, and customer information safe.  Untrained employees may be one of the biggest threats to information security, while well trained employees are the best and last line of defense.

The threat of phishing is increasing both in terms of frequency and sophistication.  This trend shows no sign of slowing. Preparing organizations, leadership, and employees to identify red flags and mitigate risks is an important step towards creating a culture of cybersecurity awareness.

Wuvavi allows you to simulate phishing attacks on your employees. Try the free trial today. No credit card required.

About Me

Jon Santavy is the CEO of Wuvavi (www.wuvavi.com) – the world’s leading employee cybersecurity awareness platform for small and medium sized business.  Through innovative training, simulated phishing attacks, and the right analytics, Wuvavi customers reduce their employee related cybersecurity risks and create a culture of awareness in their organization.