How-To Incident Response

Gone Phishin’

No, not the band. And yes, I did spell it right. I’m talking about phishing emails. I’m sure everyone’s come across at least one. Phishing emails are the type use social engineering to try and get users to reveal personal information, such as usernames, passwords, credit card numbers, social security numbers, and other information. Releasing this information allows the bad guy to use that information against you, by means of logging into your accounts, using your credit card information to make transactions, or maybe even stealing your identity.

Identifying Phishing Emails

There are numerous factors that can help identify phishing emails; a sense of urgency, a suspicious link, poor branding, unknown senders, and also generalized referencing to the intended recipient(s). Lets look at the sample below


1. Unknown Sender: Lets first look at the “From” message header. It looks like this email is from Fidelity, but the email address associated with does not associate at all with the company it is supposedly being sent from. Nonetheless, the email address in general is someone who is unknown. This causes suspicion.

*Occasionally, phishing emails with be “spoofed” This means that it looks like it was sent from a sender whom you know, although it was actually sent from the bad guy to trick you into trusting the email if it is sent from someone you know

2. Sense of Urgency: Did you see the subject? “Alert! Urgent Action Required” Phishing emails want you to feel like you have to respond right now, and that it is a higher priority. Many times, phishing sites will only be up for a day, maybe even a few hours. By making the user feel like it’s important, the user is more likely to comply sooner rather than later.

3. Generalization: Normally, legitimate emails sent to a user will include the recipients name, whether it’s in the form of “Hey Corrie!” from a friend, or even “Dear Corrie” (or something along those lines).  Phishing emails are usually sent to numerous people all at once, making it difficult to personalize the email. Be suspicious of emails that are not addressed to you personally, but addressed to a general customer, user, or group of people.

4. The Link: At first glance, the link looks legitimate, right? Look closer. Fidelity is spelt with an e instead of an i after the F. would be the legitimate site, but the link to is definitely suspicious. In this circumstance, the link is clearly presented within the email, making it easier for the user to know where they are heading when they click the link. Although, many phishing emails will have hyperlinks saying “CLICK HERE”  in blue, underlined font, for example, and when the user clicks the button they are led to a site. Hovering your mouse over that hyperlink will display a pop-up revealing where the hyperlink is actually going, as opposed to where it looks like it might lead.

5. Poor Branding: Phishing emails pretending to be sent form a company, or other entity often have poor branding. Legitimate emails may have logos, contact information, or other unique identifiers to validate their emails. Phishing emails often times won’t contain that type of branding.

Another thing to note — phishing emails may also contain attachments asking you to reply to the email with your contact information because you suddenly inherited $1,000,000 from a far distant relative in Nigeria. If a suspicious email has any attachments, don’t open them

Stay tuned for how to deal with phishing emails