Ruben Hernandez, Information Security Specialist
Everyone has seen a phish. No, not the water creatures that swim in our oceans, lakes and rivers, but the emails received from contacts that don't seem quite right. The email may have a generic message that doesn't seem to come from the sender you know and has a hyperlink. At first you hesitate to click on the link, sensing that something may be off. However, since you recognize the name of the sender, you disregard your doubts and let curiosity take over. You click on the link. The link takes you to an invalid webpage or a page about saving the world's pandas. This is bizarre, but harmless, right? Far from it! You have just become a victim of "Email Phishing." Unfortunately, by clicking that link, you have just allowed attackers to infect your computer with a malicious code that grants them full access. They now have access to the data stored on your computer, which probably includes private information such as banking passwords, credit card numbers, social security numbers, medical information, photographs, etc. Depending on the code, hackers may have even gained complete control of your device, able to use your computer remotely in any way they wish.
What is Email Phishing?
It is the most common and easiest form of social engineering that attackers can use to mislead victims into performing an action (such as clicking on the link, opening an attachment, or responding or forwarding an email) that leads to personal information disclosure and/or allowing the attacker to gain remote access to the victim's computer system.
For the attack to be successful, victims must "bite" or perform one of these actions. In addition to sending a malicious email from what appears to be a contact, attackers send emails that prey on human emotion. These "Call to Action" emails have a sense of urgency. They demand an urgent response in order to avoid a negative consequence and sometimes promise a reward.
Phishing Email Examples
Below underlined in RED are areas to look out for; spoofed emails, subject line and body state a "sense of urgency", and hovering over the hyperlink might reveal the true websites location.
1. Tech Support Scam
Suspicious Hidden Link
How can you avoid becoming a victim of Email Phishing? Knowledge is power. You need to know what to look out for.
An attacker might use a spoofed email that can look like it comes from someone you know. Usually you can tell that the email is not correct because it might have the contact name but the address is different.
If you receive a web link, hover over the link to verify that it is actually going to the website they claim to go to.
When you receive a suspicious email, even if it is from a known contact, avoid opening it! Be mindful on opening files that come from suspicious emails.
Always stop, look, and think before you click or tap. When in doubt, throw it out.
Finally, malware can be hidden in attached files
These attacks usually include website links that can hide the malicious link behind a trusted link. This is the process of obfuscating URLs or spoofing web sites.
Here are some known examples to be suspicious of.
https://support.micr0soft.com (There is the number zero after the r in Microsoft)
https://apple.com.cn (The cn is a Chinese domain)
http://bankofamerica.com.ru (The ru is a Russian domain)
https://goo.gl/Se9A4t (This a shortened URL. Well known to carry malicious software.)
For questionable emails, contact Ruben Hernandez (firstname.lastname@example.org).
Previous Page >>