Despite being one of the oldest scams on the internet, phishing continues to be a significant problem for both individuals and organizations. In fact, numbers seem to be on the rise, as Anti-Phishing Working Group reports that the number of unique phishing sites detected in the second quarter of 2016 was an all-time high.
2016 saw a number of notable phishing attacks, including a series of phishing emails—estimated to have been sent to as many as 100 million users—that led users to a page that served the ransomware Locky. Cyber criminals have also been seen impersonating popular services such as Netflix, whose users were found to have been the target of phishing attacks designed to steal passwords and other credentials.
Given the prevalence of phishing attacks, it is important to be aware of what an actual phishing attempt looks like. While cyber criminals will often try to make their attacks look as legitimate as possible, there are indicators that can be used to identify the authenticity of a message. Here are some examples of actual phishing attempts targeting users of some of the world’s most well-known brands to illustrate what to look out for.
LinkedIn is used by people as a way to network and keep in touch with other professionals, making it a prime focus for cyber criminals who are looking to steal personal information from the millions of employees who use the social media website.
Figure 1: Comparison of a legitimate LinkedIn confirmation email with a phishing email
Before even getting into the actual content of the message, users should first consider why they received a confirmation email in the first place. Most companies will only send confirmation emails for new registrants or customers who change something in their settings. Unsolicited ones should be deemed as highly suspect.
The example shown here is a comparison of an actual LinkedIn confirmation email with a phishing attempt that tries to mimic the legitimate one. The sender did a good job of copying the logo and text of the real email. However, the two primary indicators that this is a phishing attempt is the identity of the sender - the LinkedIn email contains the website’s domain, whereas the phishing email uses a different domain. The other red flag is the destination of the embedded link. The legitimate email leads to a LinkedIn page, while the phishing email leads to a “phishy” website. Users should take note that they do not need to click on a link to check where it leads since hovering their mouse cursor above the URL will also show the link destination.
PayPal is the most popular online payment service in the world, with millions of dollars’ worth of payments being processed on a daily basis. It is also tied to credit card and bank account credentials, which makes it a lucrative target for cyber criminals.
Figure 2: Comparison of a PayPal update message with its phishing counterpart
Cyber criminals will often resort to using an alarmist tone in order to pressure potential victims into clicking links or downloading files. Comparing the legitimate email with the fake one, the former contains a straightforward message that mentions changes to the policy updates while the latter tries to frighten PayPal customers into giving out their private information by threatening to restrict their accounts. The real PayPal email also greets customers with their given name and surname while the phishing email only contains a member number, which is suspicious given that PayPal uses emails for unique IDs.
In addition, a quick glance at the phishing email shows images that have failed to load properly. As a precautionary measure, some email clients either block images by default or flag HTML-based emails from unknown sources as spam. Many companies use Multi-part MIME (Multipurpose Internet Mail Extensions) as a way to bundle both the HTML and plan-text versions of an email. Cyber criminals usually do not bother with this step, so users should be wary of emails and messages that do not load or are not formatted properly.
Apple has earned a reputation as one of the most trusted names in the consumer electronics industry due to its perception as an intrinsically reliable and secure brand. However, the ubiquity of its products and services has made its users frequent victims of phishing attacks.
Figure 3: Comparison of an Apple ID warning with a phishing attempt
In this phishing attempt, the most notable red flag is the nonsensical email subject. The real Apple warning email has a concise subject line that states exactly what the email is about while the phishing email’s subject line is vague and contains gibberish. Another difference is the greeting. Instead of a personal greeting that mentions a name or an account email, the phishing message does not even contain any reference to the recipient. Also noticeable is the misleading domain name that tricks the Apple customer by using a domain that contains the words “support”. However, it lacks the apple.com domain that the company uses on their emails. Most organizations, especially large ones, have consistent branding across all their URLs and email addresses, so an email that uses a different domain name from the official one is likely to be a phishing attempt.
Figure 4: A fake Apple ID warning email
This message, purportedly from Apple, was sent to a Trend Micro employee via his work email. At first glance, there seems to be nothing wrong with the warning. However, two signs give away this message as a phishing attempt. First, the employee’s Apple ID is not connected to his work email, which makes it highly improbable for Apple to send the email to this address. Second, it mentions an older iPhone model. Cyber criminals will often recycle their social engineering tactics over the years, resulting in phishing attacks that reference outdated technology. The lesson here is to take not just the content of the message, but also its context into account.
Here are some recommendations to help protect users from falling victim to phishing scams.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.