Phield Identification: Finding Phishing in the Wild
Phishing is everywhere in the world around you. A strange email claiming to be from Amazon, unprompted text from Netflix, or a phone call from Microsoft telling you they've found a virus could all be attempts to gain your personal information for nefarious use. Luckily, it's something that can be identified and avoided long before it's too late, and this guide will be a way that anyone can learn to spot the bait before they're hooked. Even if you aren't sure if a suspect email is phishing or not, it's safer to assume it is phishing. If it's targeted to you as a member of a company or organization, it should be reported to your local cybersecurity team.
Many phishing attempts share several common features that can include, but are not limited to:
- Spelling or grammar errors
- An appeal to urgency
- A link to a strange website, or one disguised as a genuine website (eg. zoom.us vs zoorn.com)
There are many kinds of phishing, but some of the most common methods include:
- Phishing over SMS text messaging, nicknamed Smishing
- Spear Phishing campaigns at targeted individuals within an organization, like an upper level executive.
- A phishing campain carried out on a larger organization, in a scatter-shot style.
Phishers will very often pretend to be a trusted company that their target uses, like a bank, e-commerse platform, or streaming service. The main goal is to trick the target into revealing sensitive data like passwords or credit card numbers. As such, many schemes will imply that the recipient's account for X service has been disabled or is in immediate threat and that they must click the fraudulent link provided to correct the issue, as seen below.
This is a real phishing message I have recieved.
There are several things here that can alert someone to this being a phishing attempt. The most obvious being the prominent grammar errors, especially the phrase "recovery your account immediately click link bellow." Netflix, a bank, or any other company worth its salt would not allow something like this to be sent to users.
Additionally, while the link provided does include "http://www.netflix.com" in it, it actually resides on a subdomain of "onlinehome.us." Luckily, this url now redirects to a page informing users about this scam, but previously it would very likely have been a fake login identical in appearance to the real deal. Trying to login there would only result in your Netflix account being placed firmly on the phisher's hook.
Referring back the the earlier checklist, we can see that this example contains all three of the common phishing features:
- Spelling or grammar errors: "Recovery your account immediately click link bellow"
- An appeal to urgency: "Please take action on your account within 48 hours to avoid permanent suspension."
- A link to a strange website: "http://www.netflix.com:911@s955592180.onlinehome.us/mo"
As such, we can safely report this message where appropriate as phishing and discard the message. Remember, it is always better to err on the side of caution.