What are phishing emails and how to protect yourself (the 2020 guide)

Last updated by   Abeerah Hashim
Disclosure
0 Comments
What are phishing emails and how to protect yourself (the 2020 guide)
(123RF)

You all know about fishing, right? You go out with a fishing tackle, choose a bait, throw it in the water and pull back when you catch a fish. Ever wondered you could be fished too, online, via phishing emails?

Actually, it isn’t fishing, rather phishing that targets you on the internet. For this, a phishing email come as bait to trap you.

Phishing is the digital variant of fishing and is the most common and the most straightforward cyber attack.

From organizations to individual users, everyone connected to the internet is exposed to this danger. Whereas a majority of users have even fallen prey to phishing attacks at least once.

Despite being an old strategy, phishing attacks continue to remain the most successful cyberattacks. It’s because of the diversity of strategies that the criminals employ to trick users. Yet, the critical vector through which phishing attacks execute today remains the emails.

Hence, with this article, we’ll explain phishing emails meaning in detail and how to identify them. We’ll also guide you on things you can do to protect yourself if fallen victim to an email phishing attack.

What is a phishing email?

A phishing email is simply an email that reach you from cybercriminals, hoping for you to get phished.

It means the criminals strive to collect information from you and about you by sending fake emails. The target information may range from login credentials to sensitive personal and bank data.

Sometimes, the emails may also deliver malware on your devices, then stealing data from them.

These emails are never legit. But they always impersonate other legit emails that you frequently receive. For example, these emails may appear as an email from your bank, as a response to your job application, or an alert from some social media service like Facebook.

Also, quite often, a phishing electronic message (the email) appears as a message from your company’s CEO or a colleague. This type of phishing attack is incredibly successful in conducting large-scale attacks on different organizations.

Ironically, some fake emails also appear as notices from law enforcement agencies or legal notices to put psychological stress on the target users. Besides, users keep getting targeted on eCommerce platforms as in PayPal scams and Amazon phishing emails.

Often, it becomes challenging to distinguish these spoofy emails from the legit ones exclusively. Hence, users frequently open such emails, follow what’s asked, and end up sharing their data with criminal hackers.

In other words, you end up being phished!

Types of phishing emails

Depending upon the target victim and how an email gets sent, phishing messages gets classified into the following:

Spearphishing

This is the most common type of phishing attack conducted by most attackers. Spearphishing is almost always aimed at individual users or users of target organizations.

It means that, unlike conventional emails that arrive in your inbox aimlessly, spearphishing emails bear a particular design to trap the target.

These emails won’t mention your name (in most cases), but they arrive in a manner in which you frequently receive emails.

For example, the emails may arrive as a notification from one of the social media services you use, like Facebook.

These emails may even appear legit as the attackers would also do a little search about you before sending a phishing email. So, you may receive a Facebook notification regarding a photo your friend just uploaded, which, as a matter of fact, would be nothing but a phishing email.

This kind of precision of fake emails is also possible when the attackers aim at your organization whilst preying on you. You may receive emails that would appear from your boss or a colleague.

The more precise a spearphishing email is, the more likely you are to click on it and follow what’s asked.

Spearphishing may not look dangerous. However, this harmless strategy has resulted in high-profile state-backed attacks and other cyberespionage activities.

BEC (Business Email Compromise)

If you’re working in a big organization, you and your firm are prone to BEC phishing.

What is BEC?

This type of phishing emails also resemble spearphishing attacks. But they are more specific to the corporate sector.

As the term implies, this type of attack works by compromising business emails. FBI explains that the attackers impersonate anyone you trust, like your office colleague, your boss, or a vendor your company deals with as a routine. Since the sender appears known and legit, you trust the emails received at your end.

Through these emails, the attackers attempt to trick into making huge transactions. For instance, urgently asking for some overdue payment or to buy gift cards and share the serial numbers with your boss at very short notice.

This sense of urgency makes it difficult for the victim to look for details or verify the emails. That’s the reason these attacks remain very successful for cybercriminals.

Whaling

Whaleing
(Unsplash)

Whaling is just another phishing attack with a corporate target. These attacks are highly specific, and the attackers aim at high-profile targets.

In other words, the attackers make sure that the target victim is capable enough to satisfy their demands. So, they phish whales instead of small fishes.

Precisely, whaling aims at high-profile people, such as the board members or senior executives of a firm. Whereas the attackers pose as a junior employee who shares a sensitive customer complaint or a colleague discussing some other sensitive matter like a subpoena.

Given the email’s business nature, the victim is likely to trust the sender and do as asked.

These attacks often have purposes other than financial gains.

For instance, the attackers may implant malware into the system once the target user clicks on the given phishing link. Eventually, the attackers can gain a hold on the entire business network. They may also limit the spread of infection to the particular device only and steal sensitive company information.

Clone phishing

Clone phishing is a little different from conventional phishing emails.

While those emails reach you like a new email, clone phishing relies on modifying your current email threads.

In clone phishing, the attackers impersonate the conversation and context of a previously delivered and legitimate email. The phishing email, however, includes some links or attachments, or both, that are malicious.

The attackers often spoof the sender’s email address as well. Hence, the email looks legit and a continuation of the previous conversation.

For these phishing messages, the attackers often target previously hacked entities, either the sender or the recipient, to obtain previous valid emails.

How to identify phishing emails?

This is the most essential thing every privacy-savvy internet user should learn.

Identifying these spoof emails can be a chore, mainly if you believe you can’t be a target to it.

Identifying fake email
(Unsplash)

So, at first, make it clear that you, as an internet user, are equally vulnerable to phishing attacks as the CEO of a big firm.

Likewise, you’re as vulnerable to phishing attacks as any billionaire.

Whether you’re a student, an employee, a senior executive, a business owner, or merely an at-home but avid internet user with a much-used email address, phishing emails will always reach you.

It’s because the criminal hackers aim at moneymaking with phishing and at spying on your activities and stealing your data.

So, you were, are, and will always be vulnerable to phishing messages online.

Clear? Great.

Now that you know you’re vulnerable don’t worry. Here we elaborate on how to spot phishing emails.

1. Check the sender’s email address

The malicious hackers know that you will likely go through the sender’s name before opening an email. That’s why they spoof names and, frequently, spoof email addresses too. It’s because they want you to believe those fake emails as legit.

So, the first thing to check before opening an email is the senders’ email address.

Usually, a phishing email address never has the first part of the address spoofed. (It’s because mocking the second part after the ‘@’ is seldom possible. This part is the domain name officially representing a service.)

So, if you receive an email with the sender name “Bank of America,” check the email address. Anything like “bankofamerica@ocp.jp” or any other fluff after the “@” in the email address is fake.

2. Check the subject line

Today, it’s unlikely for most users to communicate with friends or family via email. Most of the email communication is usually done with business contacts, or for other official and semi-official purposes, like communicating with payment facilities or e-commerce sites.

So, if you receive emails with subject lines “Hi…,” “Hey mate…,” “Please open to check your gift,” or any other weird thing, don’t open. Though these subject lines tickle your curiosity, but remember, “curiosity killed the cat.”

Yet, these aren’t the only subject lines to be wary of. If the attackers are sending phishing emails impersonating some official context, the subject lines might be more obvious.

It’s possible that the email subject line would read “Pending invoice payment” and would come from a known vendor. But, remember that such emails, when official, never come with vague subject lines. If you had an outstanding payment at your end, the subject line would have a reference number of a known identification mark for that.

If there’s some random invoice number as well in the subject line, then double-check the sender’s email address for legitimacy before opening the email.

3. Check the salutation

If the subject line and email address look okay, perhaps, you can open the message.

But don’t trust it right away. Check the salutation style of the message.

Anything generic, such as “Dear Concerned,” “Dear Customer,” “Dear Friend,” is likely, not legit unless your email is that of customer support. A random customer might address you that way because the customer doesn’t know you personally.

However, your kith and kin, business acquaintances, and colleagues don’t need to address you generically.

Even if you’re just a random customer of a service, that company would indeed have a good record of your name. Hence, you will undoubtedly receive emails with your name clearly mentioned.

(Even in the case of bulk mailing, the support teams use features like ‘mail merge’ to send messages with a personalized salutation.)

4. Assess the email language

Besides salutation, the email content is also essential.

You may possibly come across a phishing email in a personalized style. It’s because the hackers would perhaps have your username and email address, thanks to the frequent data breaches that various big and small companies keep facing.

Asses the email language
(Unsplash)

So, if the salutation looks fine, move on, and assess the content.

For instance, if you see the email supposedly from your boss asking for some gift cards, wait and recall whether your company was really planning anything like that.

Had your firm distributed gift cards among the employees?

When was the last time it happened?

What was the worth of those gift cards?

Is anything in the pipeline for the current year as well?

And, above all, ask yourself. Has your boss ever made such urgent requests before?

Your answer would likely be no, if not all, then at least, to the last question.

And, there you spot a phishing scam!

Likewise, you may also notice phishing emails with threatening contexts. For example, things like “unauthorized login detected…” or “your account will be deleted” are seldom genuine.

These emails simply attempt to intimidate you with a sense of emergency or urgency so that you take quick actions without thinking much.

If you have a doubt, it’s better to reach out to the respective service the email sender impersonates. But, make sure you do that via other means of communication.

Like, if you get an urgent alert regarding unauthorized activity on your Facebook account, better try to log in to your Facebook account. For this, open a new browser window, manually type the URL, and sign-in to your account to review the activity. Or, check your account status via the app on your mobile phone.

Similarly, if the urgent email poses as a message from your bank, contact your bank via phone or means other than email. This will help you verify the legitimacy of the message.

Phishing emails usually include a link to the phishing web page. This link is either embedded as a hyperlink on the message or separately mentioned as a shortened URL.

Sometimes, you can even see legit links mentioned in the email, but hovering your mouse on the link would let you see the actual embedded link that would likely be different from the one visible.

These signs clearly hint that the email is a phishing attack.

Phishing URLs are often not malicious themselves. Rather they simply serve as bait. Clicking on such URLs often makes you land at phishing web pages.

In most cases, these phishing web pages impersonate the legit websites of the service the attackers spoof.

For example, if you receive a phishing email posing as an alert from Facebook, the corresponding phishing web page would mimic the Facebook website’s layout.

In most cases, the phishing website will likely impersonate the login page of the service. It’s because the attackers mainly execute phishing attacks to steal your account credentials. Believing the page as real, you will enter your email address and password and unknowingly compromise your account security.

If the phishing email poses as a message from your bank, the risk is even higher as the phishing web page will ask for your personal and financial data, including debit/credit card numbers.

Therefore, as a rule of thumb, if you have clicked on a phishing link and see that the web page asks for information from you, beware! The link wouldn’t be genuine.

Again, for verification, you can always reach out to the respective service via some other means.

6. Review the signature

Below the message, see how the email signature appears.

Review the signature
(Unsplash)

While notification alerts and emails often have no formal signature, the services tend to give unsubscribe links here. You will frequently see other details like the company’s office address, links to the privacy policy and terms of service, contact number, and disclaimer.

However, the criminal attackers behind phishing emails usually don’t make the effort to include all such data. Even if they do, they will likely paste a snapshot of it with no clickable links.

But, if you find clickable links here, hover your mouse on them. You will certainly identify the gibberish embedded behind.

Also, such closing texts’ language would not appear legit, giving you a hint of their vagueness.

Whereas, in the case of phishing email contents impersonating formal communication, you may see standard signatures mentioning a company official’s name along with details like designation, address, email address, website link, and other stuff.

Since most services include this information in formal email communication, phishing emails also mimic them to trick users.

However, a closer look at the signature would let you identify the scam. For example, a bank official’s email signature would not mention a Gmail or Yahoo ID as the corresponding official address.

Also, if you see a seemingly legit email address in the signature, hover your mouse on it and see if the embedded address is the same as the one shown. A smart attacker may also hyperlink a legit email with a fake one.

7. Look for attachments

Sometimes, the emails may also include some attachments, posing as invoices or essential letters. These attachments may also contain malicious links.

Frequently, such attachments also include malicious codes. Thus, opening such attachments would execute the malware on your system right away without you knowing.

So, if you find any attachments in the emails, don’t open them unless you are sure about the sender.

8. Analyze what information is asked

As we stated above, phishing web pages impersonate the website layout of legit services to bluff users. It’s because the primary goal of criminals behind phishing attacks is to steal your personal information.

This intended information may range anywhere from your account login credentials (email address and password) to your personally identifiable information (PII). Your PII may include full name, physical address, contact number, social security number, and financial data such as your bank details, credit/debit card numbers, and much more.

Depending upon the intention, the attackers design their phishing emails accordingly.

For example, if the phishing email and web page mimics Bank of America, the attackers would ask you for your PII data and financial information.

Whereas spoof emails exploiting Facebook, Apple, LinkedIn, or Microsoft Office, intend to steal your account credentials. It’s because once the attackers have your credentials, they can then exploit your account the way they want. They can even lock you out of your accounts and trick your connections by abusing your account.

If you receive official and legit emails, note that they won’t ever ask you to enter any information. If it’s about resetting your Facebook account password, Facebook won’t ask you to change these details right away. Instead, it follows a long procedure that includes sending verification codes to your phone number or a recover email address.

Likewise, if there’s an issue with your bank or payment service, you will possibly receive a phone call regarding the matter. Or, even with emails, the service won’t ever ask you to enter necessary data on web pages.

Real-world phishing email examples

If you wonder how most phishing emails look like, then here we list some basic scams the attackers execute this way.

Thanks to the cybersecurity community that identifies and discloses such scams regularly to make people aware.

With these examples in mind, you can mostly protect yourself from falling victim to the latest phishing email scam.

Tech support scams

Tech support scams are the ones where the threat actors impersonate tech support firms (mostly from big firms like Amazon and Google etc), to access your system. The scams begin from malicious ads and websites, as well as from phishing emails.

In these scams, the emails can either be harmless, merely alerting you of some problem in your system, and redirecting you to the phishing web page. Or, the emails may include some malicious code that literally freezes your system to trick you into connecting with the scam support.

For example, consider this LinkedIn phishing email campaign that leads to scam tech support.

Tech support scam via email
Source: Microsoft

Suspicious login alerts

Social media users often are susceptible to the security of their accounts. No doubt, Facebook, Instagram, and other social media sites remain on the hit list of criminal hackers.

Therefore, such users heavily rely on account login alerts received from these services via email or SMS to know when somebody attempts to breach their privacy.

That’s what the threat actors love to exploit.

The following email is an example of Instagram phishing, where the attackers sent fake login alerts to the victims. Through this campaign, the attackers aimed at stealing users’ legit accounts’ login credentials.

Instagram example
Source: Sophos

CEO fraud

Since turning down a request from your boss is almost impossible, the hackers often target employees of a firm with CEO fraud.

These are a specific type of phishing email that impersonates your company CEO (or whoever is your boss) as the sender. The emails often ask the recipients to make urgent transactions on behalf of or for the boss.

Of course, any loyal employee would be happy to address such personal requests to prove loyalty. However, little would such employees realize that they were going to face big trouble by responding to such emails.

Here is a classic example of a CEO fraud phishing email.

CEO fraud email message example
Source: Trustwave

Account deactivation

These emails create a sense of panic by alerting users of account deactivation. It usually justifies this deactivation due to non-payment or license expiry, eventually panicking the end-users. Since the emails give the victims a concise time to respond, they are likely to click on the given links and follow the instructions.

For instance, in the following example, the phishing email targets Microsoft Office 365 admins alerting them of license expiry. This is a classic example of BEC scams:

Source: Bleeping Computer

Payment card details

This is the most rapidly increasing phishing attack during the COVID-19 pandemic phase, as most buyers rely on online payments. The scammers are increasingly leveraging this opportunity to steal your credit/debit card numbers. And, of course, what else could better suffice this purpose besides panicking you with a compromised card alert.

Take a look at this email as an example. Here, the attackers collectively aim at stealing Netflix account credentials as well as payment details.

Netflix phisher emailing example
Source: Armorblox

How to deal with phishing emails

If you have become a phishing attack victim, you may not fix it now if the incident happened in the past. But, if it has happened recently, here’s what you should do at the earliest. The same remains true if you ever suffer any phishing attack and subsequent data theft in the future as well.

Report incident to LEA

Whether you actually become a victim to a phishing attack yourself or marginally escaped the threat by identifying it at the right time, make sure to report the matter to the Federal Trade Commission.

Reset your account login credentials

If you fear that you have been tricked into entering your account credentials at a phishing web page, reset your password immediately. Also, if you have the bad habit of reusing passwords, change it across all the accounts.

Besides, keep an eye on your account for any unauthorized login attempts, purchases, or other activities.

Inform your bank and/or card issuer

If you have shared your payment card information or banking details on a phishing website, inform the relevant authorities immediately. This will help them identify and block any unauthorized or suspicious transactions.

Ideally, you should close the compromised bank account and/or payment card immediately to keep your financial assets safe.

Reach out to credit bureaus

Thankfully, credit bureaus like Equifax, TransUnion, and others offer sufficient protection for identity theft. So, if you have likely suffered one, reach out to these services to protect your name identity from being misused for malicious purposes.

How to stop phishing emails

Given the ever-increasing and almost unstoppable extent of email spoofing, you might have fallen prey to a phishing attack. If not recently, then, in the past. And, of course, you remain vulnerable to such attacks in the future as well.

Does that mean you can never prevent fake emails from preying on you? Certainly, no!

The key to stopping phishing emails from harming you is to be aware of them and make others aware too.

After going through the phishing examples we listed above and the guide to identifying them, you will most certainly spot the very next malicious email you receive. If you remember the key points and be a little observant, you will not become a victim of phishing attacks in the future.

If your family, your colleagues, and the staff in your company are ignorant, you will indirectly suffer the same impact.

Therefore, once you learn how phishing emails look like and how to deal with them, spread the word to everyone you know.

Particularly, if you’re a senior executive at a firm or own a business, you inevitably need to train your staff.

Conduct different workshops and awareness programs to guide every employee about phishing emails. You can also test their skills through various phishing simulation tools to see how they respond to spoof emails. This will help you evaluate the adeptness level of your employees.

Wrapping it up

Executing cyberattacks via phishing emails isn’t a new technique for the threat actors. Yet, the thing that still makes this technique productive for bad actors is the people’s ignorance.

Despite being extensively studied by the cybersecurity community and anti-phishing strategies, spoof emails continue to increase their victims’ list because people aren’t aware of how phishing attacks work.

So, if you really wish to protect yourself, your home, and your organization from common cyber-attacks, spread awareness about phishing emails.

We hope that this detailed guide will serve this purpose for you. Yet, feel free to reach out to us in case of any ambiguity.

Stay safe!

Frequently asked questions

Why is phishing and not fishing?

Phishing is simply the modern cyber variant of the word fishing. Phishing refers to the digital attempts on preying users online.

Is phishing limited to email only?

Not really. Phishing attacks can also happen via SMS, phone calls, ads, and messages on social media. In short, it can happen through any communication portal through which an adversary can manipulate you to share data or money.

Share this article

About the author

Abeerah Hashim
Abeerah Hashim

Abeerah is a passionate technology blogger and cybersecurity enthusiast. She yearns to know everything about the latest technology developments. Specifically, she’s crazy about the three C’s; computing, cybersecurity, and communication. When she is not writing, she’s reading about the tech world.

Comments

No comments.

Leave a reply

Your email address will not be published.