I recently received an email that I knew was a fishing email after five seconds of inspection. It wasn’t anything flashy that gave it away, just a slew of telltale signs that it wasn’t an authentic message, but some malicious correspondence meant to take advantage of a less informed individual. It can be broken down into a number of steps that show just how quickly you can identify a scam email.
Looking at the who, what, and why of the message makes things quick for us. Modern business people generally read a subject line and who a message is from in order to determine how important a message is. I use MS Outlook as my email client, so here is what I see when I preview an email in my inbox.
Check the email address. It says it is from a support address from what would supposedly be my e-mail service provider. To the right of this is the actual address it came from. .JP? That is from Japan. I know that we do not use a Japanese company for email needs, so that is red flag number one. The fact that the two addresses are different also raises a red flag. Why on earth would any company want to confuse customers? They want to be clear and concise and make sure you know who is talking to you. This discrepancy should be alarming to anyone.
Trying to spook me
The body of the message is where you might be tricked this is a real email. First you have the big red banner, which is there to grab your attention. “Email Security Alert!?!” OH NO! From the subject and address of this email already have me weary of it, but if you skipped that, you might be worried now. The body then goes on to tell me that someone tried to access my email account. The second paragraph delivers the true threat though.
“For your account security, we strongly recommend that you verify your account now, else your account will be blocked without further notice”
There is the call to action, verify the account or lose it. A link is provided just below this text to help you. Hovering, NOT CLICKING, the link reveals it goes to some other address with nothing to do with email or support. This is most likely a page made to look like a service page, but it takes your info which is used to then steal your identity or financial information. I never clicked because I do not want to find out what it is.
The final paragraph raises another red flag for me.
“After verification, extra security features will be activated in your email settings and your account will be strongly protected.”
Think of it this way. If you click our suspicious link, we will then, and only then, make sure no one steals your account from you. What kind of service provider will only protect your information AFTER it is threatened? The fact that the email caps itself off with a note stating this is from the “Email Security Team” is the icing on the cake. There is so much here to be suspicious of, but let’s recap the quick list of the big ones.
- Email address does not match the “true” email address of the sender
- Email is from a Japanese address, which I know my company does not work with anyone located in Japan (.jp address in email)
- Call to action provides link that is very suspicious and not located at a URL similar to either email address of the sender
- Odd business practice of only protecting customers after they are threatened
- Multiple instances of trying to scare me into action with headers and “sources”
Who would fall for this?
The big take away here isn’t how to protect yourself from phishing attacks, it is how phishers get the less knowledgeable people. The main vector of attack is not the chief privacy officer, someone in IT, or CISSP. Phishers want to get the customer service person who has little technical knowledge, someone in accounting who just deals with numbers and the books, not security, or a lower level employee. They go after the elderly or less technically savvy to get their financial information because they do not know they are being attacked.
Awareness of these sorts of attacks is key in combating them. Privacy pros are not going to fall victim to phishing, but their family, friends, and colleagues may. Don’t let them take the bait, teach them how to detect rotten, smelly, phish.