How to Spot a Potential Phish

In this blog post we wanted to talk about the first indicator to 99% of the attacks we detect and handle within our customers’ environments: phishing!

What is ‘phishing’?

Glad you asked. Phishing is an attack method which an attacker attempts to trick the users into giving-up their sensitive personal identifiable information (PII), such as email credentials, passwords, credit card number, and/or home address. While phishing is the most common form of social engineering, other areas that this is becoming more common includes text-messaging & SMS (smishing), and the newest form through social media ads and posts.

Below is a recreation of a real phishing email that was sent to one of our employees.

In the example above, it’s not difficult to see this did not originate from our Co-Founder and CTO Dave Kennedy, but rather an amateur attacker attempting to pull a quick-one. The first indication is the actual email address. If this was work-related, the email address would contain a specific email address associated with Binary Defense, not a generic email address like this example thisisnotdavidkennedy@gmail.com. Note that anyone can create a Gmail account. Other identifiers to be aware of include the following:

• Notice the strong sense of urgency. This is typically used to prey upon the human desire to be helpful; especially when impersonating someone’s employer, a senior executive, or immediate supervisor.
• The lack of a company logo from the email signature.
• Problematic grammar and spelling are also clear indicators.

This attempt was humorous, and we didn’t redact any information.

Let’s imagine that our user is following along with the attacker and provides their phone number. They would most likely be sent a text message containing a malicious link to a fake O365 login page. This is an example of smishing this is when an attacker pretends to be a legitimate entity and sends an informative text that contains links to a malicious website.

If they have successfully obtained the user’s credentials and unfortunately, if your company hasn’t instituted any type of MFA (multi-factor authentication) for accessing their O365 services. Multi-factor authentication is having two or more authentication that prove your credentials such as passwords, biometrics, secure tokens and PIN number. Without having the MFA, the attacker can now potentially impersonate the user and cause additional havoc throughout the environment to include but not be limited to:

• Financial fraud
• Spreading malware to other unsuspecting users throughout the organization
• Using that malware to inject any one of the numerous variants of ransomware out in the wild into the environment

Why is all this important to you?

 Cybersecurity is a team effort, which means everyone must play the game. One uninformed or careless person could bring-down an entire organization.

Do your part, if you receive anything suspicious, the first thing you should do is inform your local information security team and strictly adhere to your organization’s policy regarding the handling of spam or phishing emails.

Some tips you can use to protect yourself:

• Make sure you check the sources of emails that come to you with attachments or links in the body of the message.
• If you’re unsure that the email is legitimate you can contact the person who sent it to you through authentic means like a phone call or a text message to that person – don’t reply to the email you received that seems suspicious.
• You can also hover over the actual email address and the link attachment on a desktop computer, without clicking it, to see how it is being readdressed.
• If you want to take it a step further, you can copy and paste the link (make sure you don't accidentally open the link) to a website like VirusTotal.com which analyzes the potentially suspicious activity and help check the legitimacy of the website or IP address.

As always … Defend. Protect. Secure.