Phishing is a form of social engineering used to steal information from victims via email or text message by impersonating a trusted person or organization. Messages are often disguised as customer invoices, password resets, or login requests.
Links and attachments may contain malware designed to steal sensitive information or gain a foothold within a company network. In some cases, phishing emails direct users to fake websites that mimic legitimate services, tricking them into entering their login credentials.
These scams are responsible for millions of dollars in losses each year and are one of the most common forms of cybercrime.
Examples of Phishing Emails
There are many types of phishing scams that use different techniques to steal data from recipients. They vary in complexity, payload type, and how difficult they are for the average person to detect. Below are some of the most common types of phishing emails.
Domain spoofing
Domain spoofing can be done directly to the email header, when the attacker tries to actually use and send from our example banktrust.com. Email authentication, specifically DMARC records, can be used by receiving mail servers to check to ensure that the server that sent the email is allowed to send emails on behalf of that domain.
DMARC records have a line of text that contains all of the servers that are allowed to send on behalf of that domain. When an email is received the receiving mail server can run an DMARCcheck on that domain to ensure that the server is listed as authorized to send. If the server is not authorized to send on behalf of that domain, the DMARC check will fail.
Without DMARC email authentication, attacks would run rampant across the internet. Luckily DMARC is a widely adopted standard and in use almost everywhere.
Lookalike domains
Lookalike domains are domains created by attackers that appear legitimate but are actually slightly altered, often using similar-looking letters or numbers to make the difference difficult to detect. For example, a scammer attempting to impersonate banktrust.com may register banktust.com (note the missing “r”) and use it to send password reset emails.
This technique can also be used to support fake websites. In this example, an attacker may send emails from the fraudulent domain that direct users to a cloned version of the real banktrust.com site. The attacker monitors the site and captures any credentials entered by victims.
Some domain spoofing attacks are highly sophisticated and may use techniques such as cross-site scripting (XSS), making it even harder to identify malicious URLs and web pages.
Spear phishing
While most email scams use thousands of messages to find a few victims, spear phishing takes the complete opposite approach. By extensively researching a target company, attackers customize a spear phishing campaign around how that organization operates in an attempt to seem as legitimate as possible.
This could include registering a similar looking domain, using stolen email signatures, company logos, and even names of individuals that are known within the company. Stolen information is often leveraged to craft messages that appear real and urgent. Sometimes these messages go as far as learning the company structure and exploiting the hierarchy to create false urgency in the phishing email.
Spear phishing can impersonate both internal staff members or known and trusted vendors the organization has a relationship with. Since spear phishing doesn’t rely on a single tactic to succeed it can be tough for an untrained eye to spot a problem. Implementing a cloud-based phishing defense system can help automatically detect and stop these types of attacks.
Whaling
Whaling is an even more targeted version of spear phishing, where the attackers now begin to impersonate senior representatives within a company. They use this knowledge of company hierarchy to pressure other staff into sending funds, resetting passwords, or clicking on links without hesitation.
With whaling, there is usually a sense of urgency or pressure that appears to come from a senior staff member within the company. The victim, which is usually just an employee at the company, will feel pressured into completing the task quickly.
This is sometimes also referred to as CEO fraud, as the whaling usually aims to impersonate c-level executives within an organization in order to gain access to the most valuable information a company has access to.
Whaling techniques have evolved over the years and could request the victim to do a number of tasks such as reset their login passwords, buy gift cards, or forward sensitive information such as tax forms or other company documents.
Attackers can impersonate staff relatively easily by searching on the target company website for information and guessing the formatting of the email account they wish to impersonate. Stolen company logos, signatures, and phone numbers are also used to make these emails appear more legitimate.
Consumer Phishing
Consumer phishing impersonates well-known brands and targets consumers by prompting them to update their account information or resolve an issue. These messages may lead victims to click on malicious links that steal their credentials or call fraudulent hotlines where scammers request personal information, including credit card details.
Like other forms of phishing, this attack relies on impersonation but specifically targets trusted and recognizable companies. By posing as familiar brands, attackers increase the likelihood that recipients will lower their guard and engage with the message.
How to Identify Phishing Emails
No matter what type of email you may encounter, there are few ways you can identify if that email is legitimate or not.
Carefully check the sending domain
This is often the most important step in identifying a scam email. Many times, recipients will glance at the From field and skim through the rest of the email. Attackers can format emails to look identical to internal emails using signatures, logos, and fonts that all look like a real email.
When DMARC email authentication is in place to block domain spoofing, attackers will leverage lookalike domains to confuse victims. If an email doesn’t seem right, spend an extra minute or so verifying that the email address in the From field is actually who you think it is. If you’re still not sure, consider contacting your IT department or contacting the sender by phone using a number that you already have on file not listed in the email.
Preview links before clicking
Even if an email appears to be legitimate, it’s best practice to preview a link before clicking on it. This can be done in almost all email browsers by hovering your mouse over a link for a few seconds without clicking. If the link appears to be directed to a strange domain, or something that looks gibberish, it’s best to take caution and not click the link.
Even with the link preview technique, attackers can perform redirects from that page. For example, the email link could go to Dropbox, which is a real service. But within that Dropbox link is a document that contains another link that redirects you to somewhere else that attempts to install malware or steal your information.
Does the email suddenly feel urgent?
Urgency and scare tactics are used in most phishing attempts in order to scare victims into acting quickly without thinking their actions through. Before taking action, review the sender's addresses to verify if it is real. Official services such as Chase will come from chase.com or jpmorgan.com. If you think the email is real but still aren’t 100% sure, consider calling the service or person from a number you already know, or find outside of the email in question.
Be on the lookout for misspellings
In the case of mass phishing campaigns, emails are usually poorly spelled or contain other punctuation errors. Many of these massive scam operations are stationed in non-English speaking countries, which forces them to use translators which don’t always work as intended.
Keep a lookout for low resolution branding images
When images are stolen for signatures in emails, they are usually low-resolution screenshots that are simply re-pasted into the email. While this doesn’t always mean an email is a phish, it should raise a red flag for you to investigate the email further.
You cannot rely on a single tool to prevent email-based attacks. Instead, organizations need a comprehensive phishing defense and response strategy. Because these attacks are constantly evolving, it is important to ensure that email systems are properly configured and that staff are regularly trained on the latest threats and company policies.
Multi-factor authentication (MFA) can be combined with threat detection controls to help prevent unauthorized access. It works by requiring both something a user knows (such as a password) and something they have (such as a mobile device). Even if credentials are compromised, an attacker would still need access to the user’s device to log in.
A Turnkey Solution
Fortra Cloud Email Protection is a turnkey solution designed to combat phishing attacks through automated response, remediation, and containment. The platform uses both signature-based detection and behavioral analysis to identify and stop malicious files and threat actors.
To learn how to protect your business from email-based attacks, explore how Fortra Cloud Email Protection works in action.
