That Email Isn’t From Santa
Phishing is always a relevant topic of concern in the cybersecurity realm. During the holiday season, when people are buying gifts online and getting advertising and promotional emails on a more frequent basis, we must be even more vigilant.
For those of you who don’t quite know what phishing is, check out our introductory article on the topic, A Primer on Phishing and How to Guard Against It. In that article, we explained what phishing is and provided a glimpse at some of the forms that phishing can take. Of the many variations, those taking the form of malicious emails are the most common. So how do you differentiate phishing emails from legitimate messages, especially when they are convincing enough to dupe hundreds of people?
Often, phishing attempts are fairly easy to spot. Even if the messages aren’t sent from someone purporting to be a Nigerian prince in need of a nice person to send a wonderful gift to, there are often some very obvious signs that the messages are part of a scam. If the message is full of spelling and grammar errors, the language the message is written in is probably foreign to whoever wrote it. While you might expect this from a foreign pen-pal or international work partners, it is probably a good sign that the message isn’t actually from Uncle Bob who’s in dire need of some spare cash for a Christmas gift for his daughter. Which leads us to our next big red flag: a highly time-sensitive issue coupled with a direct request for personal information or bank data. These messages are designed to trigger a sense of urgency strong enough that you reply before you have time to think about how suspicious they are. Lines like “your account will be suspended unless…” or “within the hour, I need…” should make you stop dead in your tracks and check the message for other signs that something isn’t right.
Just like there are plenty of elves in Santa’s workshop, there are plenty of emails that pass through your inbox on a daily basis. And while it is easy to spot a reindeer trying to act like an elf, spotting a fake elf that actually looks, moves, works, and talks like a real elf can be far more difficult. So, what if the message in question isn’t blatantly suspicious? What tiny red flags can you look for when there aren’t any huge ones flapping in the frigid North Pole wind? Here’s a list of things to watch out for from the address-line down.
Spoofed Display Names
One of the easiest, and therefore one of the most common, tactics that cybercriminals take when crafting a phishing email is to alter the display name of the account they are using to one that you expect to see in your inbox. It might be the name of a newsletter you subscribe to, a website where you do a lot of online shopping, or good ole Uncle Bob from earlier. But while the name in bold may say Uncle Bob, the email address that the message was sent from, <firstname.lastname@example.org>, definitely doesn’t belong to Christmas-loving Uncle Bob, who would never dare utter the words “bah humbug.” Similarly, you can check to see if that newsletter full of links to holiday sales at your favorite store actually came from the email address you usually get it from.
Close-but-Not-Quite Domain Names
To step up the authenticity of messages, phishers will often set up an email account with a domain name very similar to the real domain that they are trying to spoof. Look for minor spelling differences, small changes like “email@example.com” when it should be “firstname.lastname@example.org,” and odd domain extensions like reindeer.net, reindeer.web, or reindeer.io when you would expect it to be reindeer.com.
Messages Sent to the Wrong Account
When you frequently operate with multiple email accounts, it can be easy to forget which inbox you’re in at any given time. But any time you get a new message, take a moment to ensure that the account it was sent to makes sense. For instance, if you generally use one specific email address for creating accounts on social media and ecommerce sites, any messages from those sites should be going to that inbox, not the inbox of the account you use exclusively for communicating with family or running your home business. If you do get such an email on one of those accounts, it might be a sign that the email address for that account has made its way onto a list on some dark-web forum.
One last thing to look at before moving on to the body of a message is the list of recipients. Smart cybercriminals will send phishing messages out to individual recipients or as blind-carbon-copies (BCC) to a list of targets. Every now and again, though, they will slip up and carbon-copy (CC) all of the targets to the same message. If there is a massive list of emails that you don’t recognize in the CC section of the message, it probably isn’t from a legitimate source. Also, if the message is supposedly a targeted email from your boss but looks like it is carbon-copied to the entire company, there is a good chance that something isn’t quite right.
If everything in the address-line checks out, the next thing to look at is the formatting of the message itself. Most big companies spend a lot of time and money making sure their messages feature eye-catching and professional-looking formatting. If the message sitting in your inbox says it is from one of these big companies, but has sloppy formatting or formatting that is just different from all of the other messages you get from the company, it’s probably a fake. Similarly, if the message is supposedly from your grandma who can make a mean eggnog but barely even knows how to turn the computer on, it probably shouldn’t have custom fonts or embedded hyperlinks. Basically, if it feels like the message is from someone else, it probably is.
Vague Salutations or Odd References
If the message starts out with a vague “Dear Valued Customer,” you can probably toss it in the trash. Most legitimate businesses have automated systems in place that include your actual name when sending you a message. Also, if the email is supposed to be from a coworker, friend, or family member, but they never refer to you or anyone else by name, assume that something isn’t right. Vague pronouns and references to events or information that you have never heard about should trigger the warning lights in your brain.
Casual/Routine-Sounding Requests for Information
It’s easy to smell something phishy when an email urgently demands account information or banking data. But just because a message doesn’t have an underlying sense of urgency doesn’t mean it’s legitimate. No legitimate, respectful business should ever ask you to share account information, banking data, or personally identifiable information over email. If the message provides a link to an account sign-on page, opt to visit your normal sign-on page and log in from there instead of clicking the link. And if it’s a casual or routine-sounding request from a family member or coworker, contact them (preferably over the phone or in a new email, not a reply) to verify that they need the information and request that you give it to them either over the phone or in person.
Unsolicited or Out-of-Place Messages
Sometimes a message just doesn’t feel right. Listen to that feeling. If it’s an email allegedly from a family member and it is written like you haven’t talked in weeks and asks you for money, but you just talked to them on the phone yesterday and they were doing fine, it’s probably a scam. If you get a message from your boss asking you to open an attachment and fill out some documentation because the timeline on an important business deal got moved up, but you know that this stuff is usually handled off-line or by someone else, call your boss to find out what’s going on. Any annoyance you might cause them is going to be far less than if you fall victim to a phishing scheme and put the company at risk in the process.
Hyperlinks Hidden in Fake Links
This is a huge one, and where a lot of people fall victim to these scams. Just because that highlighted text looks like the link it says it is doesn’t mean that it can’t lead somewhere else. Take this for example: www.facebook.com/missionmultiplier. It looks like a link to our Facebook page, right? Now hover over the link and see what pops up at the bottom of your screen. That “link” actually takes you to our LinkedIn page. (Where you should, of course, go and follow us.) Phishers love to use this same tactic in their scams because people fall for it so easily. Any time you see a link in a message, hover over it and make sure that the link at the bottom of the screen perfectly matches what you see in the body of the message.
Odd Signatures or None at All
One last thing to look for is the signature of the message. Just like the formatting, companies normally carefully craft the signatures of their messages and keep them consistent for all of the messages that serve the same purpose. If the signature of the message doesn’t match what you usually see or there is no signature when there should be, be hesitant about trusting the message. It is a subtle difference, but a difference nonetheless.
Phishing is out there. If you haven’t already, you will probably be targeted in the near future. But if you keep all of these tips in mind, you will be far less likely to take the bait and become a victim. As always, if you, your organization or company, or someone you know would like more information on the topic above or our company, please do not hesitate to reach out to Mission Multiplier at email@example.com.