How to Identify Phishing Scams and Protect Against Them

Phishing scams are a very common technique used by identity thieves to trick you into giving them your sensitive personal or financial information. Thieves will often impersonate actual companies like credit card companies, banks or online resources such as PayPal or Dropbox. It is a challenge to recognize what is real and what isn’t but there are a few things you can do to make yourself/your organization less susceptible to this type of scam.

Traditional Approach

Before we discuss a non-traditional approach, here are a few quick tips you and your users should be aware of to avoid falling prey to a phishing attack.

Be Familiar with Common Phishing Language

Phishing emails or texts will attempt to tell a story to trick you into clicking a link. Some common themes phishers use include:

• They will ask you to “Verify your account”
• There will be spelling errors (Figure 1)
• They will request your login credentials or sensitive information
• The links will reveal a different URL than the impersonated company when you hover over it (Figure 5)
• They will mention an ‘Invoice attached’ but instead of an attachment there is only a link
• They will mention your account is ‘running out of space’ (Figure 2)
• They will pressure for a sense of urgency (Figure 2, 4)
• There are mentions of ‘compromised account’ warnings
  • In this situation, go directly to the company and not through any links in the email
• The email doesn’t address you directly (Figure 3)
• The sender email does not match the account name (Figure 4)
• They only reference your first name instead of your full name

Below are some examples of typical phishing e-mails:

Do Not Click Suspicious Links

These phishing emails or texts often look like they’re from a trusted company that you’ve been involved with before. You should be extra suspicious of any emails requesting money or account information from ‘trusted entities’ like your bank or credit card provider.

• If an email has a suspicious link, do not click it – try navigating to the site directly instead
• Links will often imitate a legitimate entity like Dropbox and ask you for credentials

Verify That a Website Is Legitimate by Checking its Authentication

• Some phishers will attempt to emulate the landing page of a legitimate company in an attempt to have you pass your credentials into it
• Check the site certificate – if the site has a padlock near the URL, click on it and make sure that the name of the organization that applied for the padlock matches

A Non-Traditional Approach to Phishing

One effective approach to strengthening your users’ phishing defense is actually… by phishing them yourself! Setting up an internal phishing campaign has been shown to be very effective in raising awareness about phishing emails and serves as a more effective training tool.

With this approach, your users will see what a phishing email actually looks like and your admins will get valuable insight into which areas of your organization need the most attention. This non-traditional approach has several additional benefits to traditional training exercises which typically highlight my earlier points around phishing language and structure etc.

Keys to a Successful Internal Phishing Campaign:

There are a few key things you will need to accomplish for a successful internal phishing campaign:

1. Convince the C-Suite – You will need buy-in from the business
2. Establish a baseline – You will want to establish unbiased baselines for your user performance in order to evaluate progress
3. Educate Employees – Once you establish that baseline you should use that information to educate/motivate your employees to do better

Convincing the C-Suite

This approach is far from traditional and might be a tough sell to your C-level decision-makers who you will need buy-in from.

One of the big hurdles when getting buy-in from the business is convincing them that it’s worth the time and money. This exercise is inexpensive and does not require any additional staffing, the results via monthly reports on company progress will speak for themselves.

There are a number of 3^rd party platforms that are moving into this space as well for smaller organizations, who may be lacking in technical resources to carry out the campaign themselves. Some examples are Sophos Phish Threat which we are implementing here at STEALTHbits and Cofense PhishMe which is free for small businesses.

Establish a Baseline

You will want to establish unbiased baselines for your user performance in order to accurately evaluate progress.

• You will need an unbiased baseline of how your employees interact with phishing emails to get the best results and be able to gauge progress.
• Keep the plan a secret from your employees until you establish a baseline. (Obviously, you still need to have the plan approved by upper management)
• By keeping the plan under wraps, you will be able to establish a realistic baseline of where your user’s current status and then more accurately measure improvement.
• The baseline should be made up of the following metrics:
  • Clicking the link
  • Opening the attachments
  • Reaction: Reporting the email or not
  • Employee response time

Here’s an example screenshot of the Sophos phishing dashboard:

Be Transparent

Once you’ve established a baseline, a monthly update on the results of the previous Month’s phishing campaign can motivate your employees to be more vigilant.

• It’s recommended to anonymize the results a bit, perhaps categorizing the results by team or department rather than picking on an individual. This way your users won’t be turned off to the idea or won’t want to participate – the goal is enablement, not embarrassment.
• Adding an element of competition between departments with some type of leaderboard is also a good way to keep your users engaged.

Summary

Being familiar with typical phishing e-mails is great but actually testing your users is better. Educate your users on the standard phishing indicators that I mentioned above and with that training, test them by phishing them yourself. Setting up an internal phishing campaign is inexpensive and relatively easy to accomplish. It’s estimated that 80% of breaches are started with a successful phishing e-mail, get ahead of this before it’s too late.