This post is an attempt to resume some of the most common phishing schemes that I’ve dealt with, as well as sharing some tips on how to identify them.
Please note: I’m not an IT/security expert. This article resumes what I’ve learned from experience, from trying to prevent fraudulent activity in businesses (my roles have included frequent communication with Engineering teams), and some personal research on the matter.
Feedback is most welcome, so please email me at [email protected] in case something is unclear, incomplete, or incorrect.
What is phishing?
Phishing is a type of online identity theft, where the perpetrator, or “phisher”, tries to obtain our personal data (e.g. credit card numbers, passwords, account information, etc.) by making us believe you’re being approached by a real website we use.
Phishing exploits our confidence and ignorance. Its success is mostly due to thoughtlessness/distraction, lack of education about online fraud, and/or even a lack of concern due to the belief that we’ll never fall for this kind of deceit ourselves.
We can’t seriously blame people for their ignorance to fall prey to a phishing attack, though. We can only be held accountable for indifference and negligence… that is, knowing it’s out there, and not caring about being minimally informed. So the least one can do is to provide some education on the subject.
The first thing a phisher hacks is our trust.
A phisher hacks our trust. Some fraudulent schemes may involve complex coding skills, while some others are simply about wit and deceit. Regardless of what phishers can do technically, the first thing they hack is your confidence.
No one is immune, really… not even companies. A particular type of phishing, named “spearphishing“, occurs when a phisher targets members of a company, by pretending to be a superior or even the CEO (e.g. SnapChat was a victim of this in early 2016).
Anyway, most phishing schemes start with a simple message.
Fake emails and websites
A phisher will send you a fake email that will resemble that of a real company/website you use. And if you’re wondering how they got your email address in the first place, this article explains it.
The email address the phisher uses to fool you is usually very close to something you’d expect from the real company. If the real website usually writes you from [email protected][.]com, the phisher could register a domain and create the email address [email protected]saurus[.]com.
A different and more dangerous situation is when the sender email address is “spoofed”. That is, made to look exactly like the legitimate address. Comparing to the previous example, the sender will apparently be [email protected] The trick here is the reply-to address “behind” it. That is, when you click reply, the sender’s true email address will be revealed. So always double-check who you’re replying to.
Check the useful links in the end of the article to read more about email spoofing.
Additionally, the content of the email the phisher sends you is usually designed to look like the real company.
If you take a closer look, however, it’s rarely designed to feel like the real company. There are several clues to identify the phishing attack, regarding speech/tone. If the email includes any urgent, almost dramatic request related to your account’s confidential data, be suspicious.
Some tips on how to spot a phishing email:
- Call-to-action: account, security, payment, etc. They mention that your account is compromised in some way, that a payment is to be received, or that you should update something in order to prevent some serious situation;
- Call for urgency (“now-or-else”). This action usually has to be done urgently, as soon as you can, otherwise your account is compromised, the payment won’t take place, etc.
- Bad grammar. Text with typos or badly constructed sentences, punctuation, inconsistent information.
- No clear identification of your account: there’s no order number, customer ID, or any specific information related to your account.
- Addressing the recipient. Most of phishing emails include “Dear customer” – they rarely use your name or a common salutation, as the real website probably will. Example: “Dear Customer, (…) You need ____ immediately, otherwise, you will not be able to use your account, as usual.”
Before you click a link, preview it
Regardless of how good or dramatic the text is, the rule of thumb is simple: don’t click any link.
A phishing email usually includes a button – or a simple text link – for you to click on, whether it’s for you to access your account (“Login here“), receive a payment/refund (“Click here to login and authorize transfer”), confirm your password (“Confirm safely here“), and so forth.
Most Internet browsers nowadays will show you a preview of a real link on the bottom-left section of the window, so if things look minimally suspicious, simply preview the link by hovering your mouse over it, and before you click it.
Alternatively, you can also right-click a link, use the option “Copy Link Address” (or similar) and paste it on TextEdit, Notepad, etc.
If you’re using a mobile phone, you can usually tap and hold the link to see the full URL.
In any case, whenever a real website needs you to take urgent and immediate action and they email you, avoid clicking any links: go to the official website, sign in as usual, and make sure to confirm everything is up-to-date.
Set strong passwords, and never use the same password more than once. Whenever possible, also activate 2-factor authentication.
Password managers don’t need to be perfect, they just need to be better than *not* using them which they unequivocally still are https://t.co/nVG5G6RAWx
— Troy Hunt (@troyhunt) April 1, 2017
A password manager is a life-saver. Personally, I use 1Password. There are many others, however (e.g. LastPass or Enpass), but I can’t really vouch for them because I’ve never used them.
Anyway, I’m very happy with 1Password: it saves me a shitload of time and unnecessary effort whenever I need to create a new strong password.
Advantages of using 1Password
- Helps you create unique, extremely secure passwords: if you have any reused or weak passwords (as in the image above), it will let you know.
- More secure than any method you can probably devise. Sure, you can keep a notebook with handwritten strong passwords… but that’s also a risk!
- Organized: you can use tags and create Vaults to tidy up your passwords.
- Mobile apps!
- Strong auto-fill (there’s a desktop app, as well as browser extensions).
- You can create a shared Vault (for work, for example, and whose logins you may share with a coworker).
- Travel Mode (something you can activate for one or multiple Vaults).
One of its greatest features, however, has to be the Compromised Logins monitoring:
1Password reviews breach databases provided by Have I Been Pwned, and checks whether any of your passwords are present in any data leak. If so, it will inform you, and you can then update that login with a secure password.
For all this and more, a password manager is really worth the investment.
404 errors and redirects
Moving on, sometimes phishers use links with the real domain of the website they’re pretending to act as.
As an exercise, try previewing the links for the following examples (if you click by accident, don’t worry, they’re all safe):
- Click to discover WordPress
- Visit pedrosaurus.com
- Go to pedrosaurus.com/subscribe (404; page not found)
- See pedrosaurus.com/test (redirect)
- Check out this link
Why are the last three links suspicious? The anchor texts (i.e. what you read/is visible) and their hyperlinks all point to what seems to be the legitimate domain (this one!), with a few differences:
- The /subscribe/ page doesn’t exist (404 error).
- The /test/ page redirects to the root of the website.
- The link points to the legitimate domain, but includes specific parameters (i.e. /?utm_source=p3dr054uru5&utm_medium=email&utm_campaign=urltest)
Let’s assume I was sent that third link and clicked it. A bit confused, I’d probably ignore the email and delete it.
What’s going on here? If it’s phishing, they’re not asking for anything.
There can be several explanations:
They want to know your email address is active
The phisher has a way of knowing whether you’ve opened the email or not, as well as if you clicked on the link. If he has thousands of email addresses to test, he now knows that yours is valuable because it exists, and it’s being used.
They could target you with some “urgent” campaign to reactivate your Google account, this time. If you have private information in your Google account, it’s more valuable than your own wallet.
They want you to reply
and proceed with their fraudulent operation. They’re betting it’s more likely for me to email them back (“Hey! I can’t open the link”), than for me to go to the official website’s contact page, and fill the official company form, for example.
- This could be when the phisher would probably tell me that – for security reasons – I should login at pedrossaurus.com/login (this time I’ll be presented a replica of the real site, and asked to confirm my password, credit card number, etc.).
- If that link is hidden behind a button, or anchor text, I might not even notice the scam.
It’s also plausible to assume that a real company may one day make a mistake, and send you an incorrect link. Again, always double-check who you are really replying to, because the phisher may have spoofed his email address. Alternatively, simply go to the main website, sign in, and check for any notifications or alerts.
If in doubt, change your password.
The link leads to a fake website
The most common case is when a phisher creates a fraudulent copy of a legitimate website, designed to look like the website you use and trust (check Facebook’s guidelines on the topic). Usually, the domain includes the real website’s brand name in order to be more deceitful, but with variations:
- pedrosaurus-login .com is not pedrosaurus .com
- admin-pedrosaurus .com is not pedrosaurus .com
- pedrosaur .us is not pedrosaurus .com
- pedrosaurus .net is not pedrosaurus .com
Pay attention to slashes, hyphens and dots. Again, when in doubt, don’t click any links and just head over to the main website.
Also, a lot of businesses have multiple versions of their website (to present content in additional languages, mobile, etc.). That’s when it’s useful to be minimally acquainted with the differences below.
Let’s say I want to allow users to have accounts on this website, so they’ll need a login page. All legitimate options:
- Domain: pedrosaurus.com
- Sub-domain: login.pedrosaurus.com
- Sub-directory: pedrosaurus.com/login
Fraudsters use people’s ignorance of this to fool them, though.
Assume www.example.com as the only legitimate domain for a website where you have a user account, and buy/sell stuff.
A phisher could buy one or more of the following domains:
- www.example.co.uk (in this case, make sure the real website also has the .co.uk TLD. If not, it’s probably a fraudulent website!)
To explain how serious this can be, I usually put it this way: suppose a phisher emails my mom from [email protected][.]com, asking her to reply, to click a link and confirm her login information, to make a test transfer to some IBAN, and/or to confirm her credit card number.
How likely are they to succeed? If well done, very!
Legitimate companies will never email you asking for private data, such as a password or bank account number, which is information they actually already have.
The Universe will totally give you extra positive karma points if you let the company know about that suspicious activity.
- Not only because you’ll be helping the website, but you’ll be contributing for the overall safety of our good old WWW as well.
- Most companies have a specific email address for you to report fraudulent situations (e.g. [email protected]…, [email protected]…, etc.).
- Make sure you forward the suspicious email. If you simply copy-paste it into a contact form, a lot of information will be lost and your effort will be useless.
- If all they have is a contact form, describe the email, and ask if they would like you to forward it to a specific e-mail address.
Avoid ‘going around’, or bypassing, a legitimate website. If you use a website to complete transactions, usually those transaction should take place in the platform itself (with the exception of payment services like PayPal, where you can be redirected from and back to the website).
- …ensure the transaction agreed between you and another user will definitely occur, instead of leaving the success of the deal entirely to chance.
- …usually provide their own native messaging system, which is more than enough to exchange any necessary details. If another user asks you to contact him/her outside the platform to make the deal, please be wary.
Reacting to a phishing attack
What to do in case of a phishing attack? If you have identified – or been a victim of – a phishing attack (or online fraud in general), you should:
- Change your password immediately (on the website, email accounts, etc.). Choose a strong password and avoid using the same password twice.
- If available, activate 2-factor authentication (mobile verification).
- Contact the real website about this.
- Report the phishing link to Google, Symantec, the Anti-Phishing Working Group (APWG), and you can also file a complaint with the International Consumer Protection and Enforcement Network (ICPEN), if necessary.
- Install an anti-virus tool on your computer, and scan your system on a regular basis.
- Report a phishing URL to:
- GotPhish.com via @SwiftOnSecurity is a great resource with anti-phishing tools, procedures, etc.
- Have I Been Pwned? by @troyhunt warns you if your email address, and other personal data, is included in a breach
- Urlscan.io allows you to preview URLs safely
- Bit.ly links. Add a plus sign (“+”) to a bit.ly link to preview the real URL behind it (you can later preview it on https://urlscan.io). Try it on this one: http://bit.ly/2C6AhOV
- About clicking links in email (TipTopSecurity)
- Recognizing suspicious activity (PayPal)
- Phisher scams (Hoax-Slayer)
- How Spammers Spoof Your Email Address (and How to Protect Yourself) (LifeHacker)
Cover photo by Nicolas Picard