How to avoid phishing emails
read
Phishing attacks aim to deceive individuals into divulging sensitive information like login credentials, credit card numbers, or personal data. With technological advancements, scammers continually refine their tools and techniques for such attacks.
- Email phishing is a form of cyber attack that aims to deceive individuals or organizations by masquerading as a trustworthy entity.
- Phishers send fraudulent emails that appear to be from reputable sources, such as banks, online services, or government agencies.
- These emails often contain alarming or enticing messages to prompt recipients to take immediate action.
- Phishers typically use social engineering techniques to manipulate recipients into clicking on malicious links or opening malicious attachments.
- The goal of email phishing is to trick recipients into revealing sensitive information, such as login credentials, financial details, or personal data.
- Phishing emails may employ various tactics to appear legitimate, such as using official logos, professional language, or personalization.
- Attackers often create a sense of urgency or fear to increase the likelihood of recipients falling for the scam.
- Phishing attacks can have severe consequences, including identity theft, financial loss, or unauthorized access to sensitive accounts.
- To protect against email phishing, it's essential to be cautious when interacting with unsolicited emails, verify the authenticity of email senders, avoid clicking on suspicious links or downloading attachments, and regularly update security software.
Email Phishing Cues
Error:
- Spelling and grammar irregularities: Does the message contain Inaccurate spelling or grammar use, including mismatched plurality?
- Inconsistency: Are there inconsistencies contained in the email message?
Technical indicator:
- Attachment type: Is there a potentially dangerous attachment?
- Sender display name and email address: Does a display name hide the real sender or reply-to email addresses?
- URL hyperlinking: Is there text that hides the true URL behind the text?
- Domain spoofing: Is a domain name used in addresses or links plausibly similar to a legitimate entity's domain?
Visual presentation indicator:
- No/minimal branding and logos: Are appropriately branded labeling, symbols, or insignias missing?
- Logo imitation or out-of-date branding/logos: Do any branding elements appear to be an imitation or out-of-date?
- Unprofessional-looking design or formatting: Does the design and formatting violate any conventional professional practices? Do the design elements appear to be unprofessionally generated?
- Security indicators and icons: Are there any markers, images, or logos that imply the security of the email present?
Language and content:
- Legal language/copyright info/disclaimers: Does the message contain any legal-type language such as copyright information, disclaimers, or tax information?
- Distracting detail: Does the email contain details that are superfluous or unrelated to the email’s main premise?
- Requests for sensitive information: Does the message contain a request for any sensitive information, including personally identifying information or credentials?
- Sense of urgency: Does the message contain time pressure to get users to quickly comply with the request, including implied pressure?
- Threatening language: Does the message contain a threat, including an implied threat, such as legal ramifications for inaction?
- Generic greeting: Does the message lack a greeting or lack personalization in the message?
- Lack of signer details: Does the message lack details about the sender, such as contact information?
Common tactic:
- Humanitarian appeals: Does the message appeal to help others in need?
- Too good to be true offers: Does the message offer anything that is too good to be true, such as having won a contest, lottery, free vacation, and so on?
- You’re special: Does the email offer anything just for you, such as a Valentine's ecard from a secret admirer?
- Limited time offer: Does the email offer anything that won't last long or for a finite length of time?
- Mimics a work or business process: Does the message appear to be a work or business-related process, such as a new voicemail, package delivery, order confirmation, or notice of invoice?
- Poses as friend, colleague, supervisor, or authority figure: Does the message appear to be from a friend, colleague, boss or other authority entity?
AI-Powered Phishing Scams
The advent of artificial intelligence (AI) has provided scammers with new avenues to execute highly effective and targeted phishing scams. Nonetheless, AI can also be leveraged to enhance phishing detection and prevention methods.
How AI improves phishing accuracy:
- Advanced Language Generation: AI-powered phishing emails can utilize sophisticated natural language generation techniques, making the content appear more authentic and convincing.
- Personalization and Contextual Information: AI can analyze vast amounts of data to create personalized phishing emails that include specific details about the recipient, such as their name, job title, or recent online activities, making the email seem more legitimate.
- Improved Email Formatting: AI algorithms can optimize the formatting of phishing emails, ensuring they closely resemble genuine emails from reputable organizations in terms of layout, design, and branding.
- Emotion and Urgency Manipulation: AI-generated phishing emails can be designed to evoke strong emotions or create a sense of urgency, exploiting human psychology to prompt swift and impulsive responses.
- Enhanced Social Engineering Techniques: AI allows fraudsters to refine social engineering tactics by analyzing behavioral patterns, interests, and online profiles of potential targets, leading to more targeted and effective phishing attempts.
- Spear Phishing Accuracy: AI-driven spear phishing attacks can accurately imitate communication styles and patterns of specific individuals or organizations, making it extremely challenging to differentiate between legitimate and fraudulent emails.
- Real-Time Adaptability: AI-powered phishing attacks can dynamically adapt based on user responses or changes in the cybersecurity landscape, making them more resilient and difficult to detect.
- Content Plagiarism and Duplication: AI can scrape content from legitimate sources, enabling fraudsters to replicate authentic email content, including logos, signatures, and disclaimers, further increasing the credibility of phishing emails.
- Evasion of Spam Filters: AI techniques can be employed to bypass email filters and spam detection mechanisms, increasing the likelihood of phishing emails reaching the intended targets' inboxes.
- Evolving Threats: AI-powered phishing attacks continuously learn and evolve, leveraging machine learning algorithms to analyze successful and unsuccessful attempts, thereby refining tactics and staying one step ahead of traditional detection methods.
Data sources that AI can leverage to gather information for various purposes:
- Social Media Platforms: AI algorithms can analyze public posts, profiles, and interactions on platforms like Facebook, Twitter, LinkedIn, and Instagram.
- News Websites and Blogs: AI can scrape news articles and blog posts to gather information about recent events, industry updates, or trends.
- Company Websites and Press Releases: AI can extract data from corporate websites and press releases to obtain information about company announcements, product launches, or partnerships.
- Publicly Available Databases: AI can access publicly available databases, such as government records, public directories, or open data portals, to gather relevant information.
- Research Publications and Academic Journals: AI can process research papers and academic articles to extract knowledge and insights from scientific publications.
- Public Forums and Discussion Boards: AI can analyze discussions on platforms like Reddit, Quora, or Stack Exchange to understand popular opinions, questions, or concerns.
- Publicly Shared Presentations or Slide Decks: AI can parse presentation slides shared publicly on platforms like SlideShare or online forums.
- Open-Source Code Repositories: AI can access code repositories like GitHub or GitLab to gather information about software development projects and technologies.
- Publicly Available Government Reports and Documents: AI can process government reports, white papers, or policy documents to extract relevant information.
- Publicly Accessible Websites and Web Pages: AI can analyze content from websites and web pages that are openly accessible to gather information on various topics.
Here are some techniques that AI can use to refine social engineering tactics:
- Data Analysis: AI algorithms can analyze vast amounts of personal and behavioral data from various sources, including social media profiles, public records, and online activities. This analysis helps fraudsters understand their targets better and tailor their social engineering techniques accordingly.
- Natural Language Processing (NLP): AI-powered NLP algorithms can analyze the communication patterns and language used by individuals and organizations. This allows fraudsters to mimic the writing style, tone, and vocabulary of the target, making the phishing emails more convincing and difficult to distinguish from genuine communication.
- Personalization: AI can leverage the data collected on individuals to personalize phishing emails. This includes using the recipient's name, job title, company information, or referencing recent interactions or events specific to the target. Personalization enhances the credibility of the phishing attempt and increases the chances of a successful response.
- Contextual Information: AI algorithms can gather contextual information about the target's industry, organization, or role. This knowledge allows fraudsters to craft phishing emails that appear relevant, timely, and aligned with the target's professional responsibilities or interests.
- Behavioral Analysis: AI can analyze the behavioral patterns of individuals, including their online activities, browsing history, and social connections. By understanding the target's behavior, fraudsters can design phishing emails that align with their preferences and interests, increasing the chances of engagement.
- Social Network Analysis: AI can analyze social connections, both within and outside the target's professional network. This analysis helps fraudsters identify relationships, influencers, and trusted contacts that can be exploited in the phishing attempt, making the email appear more trustworthy and legitimate.
- Psychological Manipulation: AI-powered algorithms can leverage psychological principles to manipulate emotions and decision-making processes. By analyzing psychological profiles and behavioral data, fraudsters can craft phishing emails that evoke fear, curiosity, urgency, or excitement, leading to impulsive responses from the targets.
Examples of personalized phishing email use cases based on advancements in AI:
AI-Generated Social Media Notification:
- Subject: "Important Account Update: [Recipient's Username], Verify Your Social Media Profile"
- Sender: "[Recipient's Social Media Platform] Team <notification@socialmedia.com>"
- Content: The email utilizes AI-generated content that addresses the recipient by their social media username. It claims that there is a security update and requests immediate verification of their profile by clicking on a link. The link leads to a malicious website aiming to capture login credentials or personal information.
AI-Personalized Business Partnership Opportunity:
- Subject: "Exclusive Partnership Proposal: [Recipient's Company Name]"
- Sender: "[Sender's Fake Company] Business Development <partnerships@sendercompany.com>"
- Content: The email employs AI-generated content tailored to the recipient's company, addressing them by name and referencing their industry. It offers an enticing partnership opportunity and encourages the recipient to click on a link for more details. The link leads to a malicious website designed to extract sensitive business information.
AI-Simulated Internal Employee Survey:
- Subject: "Confidential Employee Survey: [Recipient's Name], Your Feedback Matters"
- Sender: "[Recipient's Company] HR Department <hr@companyname.com>"
- Content: The email leverages AI to simulate an internal employee survey, addressing the recipient by name and imitating the company's HR department. It requests the recipient's participation by clicking on a link to access the survey. However, the link directs them to a fraudulent website capturing employee login credentials or other sensitive data.
AI-Driven Travel Reservation Update:
- Subject: "Last-Minute Travel Change: [Recipient's Name], Please Confirm Your Reservation"
- Sender: "Travel Booking Service <noreply@travelagency.com>"
- Content: The email incorporates AI-generated content to address the recipient by name and references their upcoming travel reservation. It claims there have been last-minute changes and requests confirmation by clicking on a provided link. Unfortunately, the link leads to a malicious website aiming to steal personal and financial information.
AI-Enhanced Financial Account Security Alert:
- Subject: "Critical Account Security Alert: [Recipient's Name], Immediate Action Required"
- Sender: "[Recipient's Bank] Security Department <security@recipientbank.com>"
- Content: The email utilizes AI-generated content, addressing the recipient by name and mimicking the bank's security department. It alleges suspicious activity on their account and urges them to take immediate action by clicking on a link. However, the link directs them to a fraudulent website designed to capture their banking credentials or other sensitive information.
AI-Generated Healthcare Reminder:
- Subject: "Important Health Reminder: [Recipient's Name], Schedule Your Annual Check-up"
- Sender: "Medical Care Provider reminders@healthcare.com"
- Content: The email utilizes AI-generated content to address the recipient by name and appears to come from their trusted healthcare provider. It emphasizes the importance of scheduling their annual check-up and prompts them to click on a link to book an appointment. However, the link directs them to a malicious website collecting personal health information or attempting to sell counterfeit healthcare products.
AI-Simulated Charity Donation Appeal:
- Subject: "Support a Worthy Cause: [Recipient's Name], Make a Difference Today"
- Sender: "Nonprofit Organization donations@charity.org"
- Content: The email employs AI-generated content tailored to the recipient's interests and past charitable activities. It appeals to their philanthropic nature and requests a donation to a simulated charitable cause. The email includes a link that leads to a fraudulent website designed to capture financial information or steal identities.
AI-Crafted Job Opportunity Alert:
- Subject: "Exclusive Job Opening: [Recipient's Industry] Seeks Experienced Professionals"
- Sender: "Recruitment Agency jobs@recruitmentagency.com"
- Content: The email leverages AI-generated content to address the recipient by name and mentions their industry or profession. It offers an enticing job opportunity and encourages them to click on a link to submit their resume. However, the link leads to a malicious website aimed at collecting personal information or distributing malware.
Safety Tips:
- Use multiple passwords everywhere. It is NOT okay to use the same passwords for social networking sites as long as you use different passwords for home banking-type sites. It is correct to use a different password for home banking type sites. However, social networking sites may not have the security of your online financial institution but using the same password on those sites is like trusting the weakest link in a chain to carry the same weight. Every site has vulnerabilities, plan for them to be exploited.
- If you do receive offers of pre-approved credit, you should shred the offer before putting them in the trash. First, you should purchase a cross-cut shredder and shred all your pre-approved credit card offers. Next, you should remove your name and opt-out of receiving these offers by visiting the website: https://www.optoutprescreen.com
- Understand how your financial institution communicates with you. If you receive an e-mail with your bank's name and e-mail address, explaining that, for security reasons, you had to click on a particular Internet link and log in to your account to update your settings. You should delete the email without taking any action, call or otherwise contact your bank or credit union to ensure credibility and report it to your bank as SPAM. Financial institutions DO NOT ask for personal or account information via email.
- Always be skeptical of attachments. If you receive a message to view a file or video on a social networking site from someone within your network (a trusted source), it is still NOT safe to open the attachment. Criminals are avid fans of social networking sites. They hijack user accounts to send phishing invites to an account holder’s entire contact list, post poisoned links to a variety of malicious sites, and send credible emails with malicious links - abusing the trust that friends normally share. Some creative criminals have tailored messages to appear to come from the social networking site itself, designed so that users will divulge their login credentials or download a Trojan.
- Technology-based security measures such as firewalls, encryption, anti-virus, spam filters, and strong authentication will NOT prevent social engineering fraud. No matter how much security technology you implement, you can never get rid of the weakest link - the human factor. A social engineer is someone who uses deception, persuasion, and influence to get information that would otherwise be unavailable.
- If you receive an email from a friend or trusted source, it is NOT always safe to click on a link or attachment within that email. The email account of your friend or trusted source could have been compromised and is being sent to you by a criminal with the intent of getting information or to have you click a link or open an attachment. The email account of your friend or trusted source could have been compromised and is being sent to you by a criminal with the intent of getting information or to have you click a link or open an attachment.
- It is NOT always safe to click a link as long as the link is through a popular search site like Yahoo, Google or Bing. Search engine poisoning makes up 40% of malware delivery on the Web. The practice is when malware and spam attackers inundate search results with links to bait pages that will take users to malicious websites that will download malware to a computer. People want to be able to trust that what they search for in Google, Bing or Yahoo is safe to click on.
- Access web sites through your web browser. Typing the address of a web site directly into your Web browser will ensure that you are going to the legitimate Web site and not a phishing site that was designed to mimic the look of the real thing. Unless the site was hijacked or your computer has a virus, typing the web address yourself is the best way to guarantee the authenticity of a web site.
- Tech support scams are very popular. If you receive an e-mail from a Microsoft support person saying that your computer is infected by a virus and suggests that you install a tool available on their Internet site to eliminate the virus from your computer. You should NOT click on the link even though the email looks official and has the legitimate support@microsoft.com email address. Email spoofing is e-mail activity in which the sender's address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source.
- Be skeptical when there are big news events happening. If you hear on the news that your insurance company has recently been breached and soon after you receive an email from your insurance company that explains the breach and provides the necessary steps for you to take. These steps include clicking on a link to update your personal information and change your username and password. You should NOT follow all instructions to keep your information protected. Now that the criminals have information about you, they may try to trick you into giving up more information through fraudulent emails. Be suspicious of urgent emails requesting information and never open attachments you aren’t expecting even if it’s from someone you know.
- If you are unsure about a link in your email, do NOT copy and paste the link in your web browser. You could still end up at the malicious site and potentially load malware on your computer or network. If you are unsure whether a link you received in an email is safe, it is not safe to copy and paste the link into the URL section of your web browser.
- If you are unsure about a link in your email, it is NOT safe to forward the link to have it tested by someone else. By forwarding an email, all you've done is forward a potentially dangerous and malicious email that could infect someone else's computer or network.
- Criminals could strike very quickly. For example, within hours of a hurricane, you receive an email from the Red Cross asking for a donation to help the victims. This email is most likely a high-profile phishing scam that receives media attention and is at the forefront of people's minds. These scams are effective because they rely on your emotions and compassion.
- Be aware of website extensions. For example, out of these six web addresses, "whitehouse.com" is phony because any official U.S. government website will end in .gov and not .com.
- https://www.usa.gov
- https://cio.gov
- http://www.ssa.gov
- https://www.ssa.gov
- http://www.fdic.gov
- https://www.whitehouse.com
Brand-Phishing
A brand-phishing email is designed to impersonate the official websites of prominent brands – such as those within the technology, banking, shipping, and retail industries. The purpose is to trick consumers into revealing sensitive personal account information. The email will contain malicious code that will redirect to a fake website (scam page) that requires consumers to log in to verify information. Links to these scam pages are sent through emails, text messages, or via web and mobile applications and may spoof the identity or online address to resemble the genuine site. The scam pages may then use login forms or malware to steal users’ credentials, payment details, or other personally identifiable information (PII).
- Be suspicious of unsolicited contact via email or social media from any individual you do not know personally and/or containing messages enticing you to open a link or attached file.
- When receiving account alerts, rather than clicking a link within an email or text, opt to navigate to the website using the secure URL to review any logs, messages, or notices.
- Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites, including the username and/or domain names/addresses (i.e., capital “I” vs small “L”, etc.).
- Use strong unique passwords, and do not re-use the same password across multiple accounts.
- Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver’s license).
- Enable 2FA and/or multi-factor authentication (MFA) options to help secure online accounts, such as a phone number, software-based authenticator programs/apps, USB security key, or a separate email account (with a unique password that does not link to other consumer accounts) in order to receive authentication codes for account logins, password resets, or updates to sensitive account information.
- When possible, do not use your primary email address for logins on Websites. Create a unique username not associated with your primary email address.
Social Media
- Be wary of social network invites. If you receive a message from a friend on Facebook inviting you to join a new social network, you should suspect that the message is fraudulent and contact your friend to verify. Don't trust that a message is really from who it says it's from. Hackers can break into accounts and send messages that look like they're from your friends, but aren't.
- Do not allow access to your contacts. If you join a new social network and receive an offer to enter your email address and password to find out if your contacts are on the network, you should decline the offer and DO NOT allow the social network site access to your email address book. To avoid giving away email addresses of your friends, do not allow social networking services to scan your email address book. The site might use this information to send email messages to everyone in your contact list or even everyone you've ever sent an email message to with that email address. Social networking sites should explain that they're going to do this, but some do not.
- Social media sites can have infected links. For example, you receive an Instagram picture from a friend. It's a great picture so you decide to share it by clicking the Facebook "like" button underneath the image. This can be dangerous even if the picture came from a trusted source, it's a real Facebook button and you are not downloading anything. If you can see the picture, you could have downloaded Malware. If the Facebook "like" link was fake, you also could have inadvertently downloaded Malware. Malicious software (Malware) can be disguised as a Facebook "Like" button, picture or audio clip. When you click a link or open an attachment, malware installs on your device. Unlike early PC malware, it doesn't ask your permission, and your device is figuratively in the hands of a criminal.
- DO NOT accept a social media connection request from a stranger just because the person looks honest and knows other people you know. Be selective about who you accept as a friend on a social network. Identity thieves might create fake profiles in order to get information from you. That lack of caution can be extremely costly. Most networking sites contain personal information. When you friend someone, you give them access to that information and that can be used by fraudsters.
- Deleting pictures or videos from your social networking sites will NOT permanently remove them from the Internet. You need to contact the support department at the social networking site to make sure they are removed. Assume that everything you put on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print photos or text or save images and videos to a computer.
- You can be at risk even if you download Apps on social networking sites that look official and the App install link is within the social networking site. Be careful about installing extras on your site. Many social networking sites allow you to download third-party applications that let you do more with your personal page. Criminals sometimes use these applications to steal your personal information. To download and use third-party applications safely, take the same safety precautions that you take with any other program or file you download from the web. Modify your settings to limit the amount of information apps can access.
- Do not respond to social media requests. If you receive an e-mail requesting you to update your Facebook, Twitter, LinkedIn, eBay, or PayPal accounts, do NOT click on the link in the email, and DO NOT LOGIN and update your account as requested. Before writing your username and password look at the web address in the browser. The fake ones look similar to this: http://k2nxw.com/cgi-bin/login/ or www.paypal5281.com. If you are not sure, log into your real account just like you usually do, by typing the web address in the browser by yourself and not using the links provided.
What Not Share On Social Media Sites
- Know what you've posted about yourself. A common way that hackers break into financial or other accounts is by clicking the "Forgot your password?" link on the account login page. To break into your account, they search for the answers to your security questions, such as your birthday, hometown, high school class, or mother's middle name. If the site allows, make up your own password questions, and don't draw them from material anyone could find with a quick search.
- Think twice before sharing personal information that would make you vulnerable. Social networking means opening up and sharing information online with others, but there's some information you should never share online. Protecting yourself from sharing Too Much Information (TMI) can save you from identity theft and even protect your physical safety. So let's start with the obvious - never share your social security number (including even just the last 4 digits), your birth date, home address, or home phone number (although sharing your business phone is ok ). Of course, you should protect all of your passwords, PIN numbers, bank account, and credit card information and never share the state where you were born as this information can be used to obtain your social security number and other identifying information.
- Posts about going out of town may leave your house susceptible to robbery.
- Pictures and videos of your house, car, and other personal possessions.
- Personal information, including your Social Security number (not even the last four digits), birthday, the name of your high school, your pet's name, your place of birth, home address, phone numbers, or personal account information.
- Avoid posting a full frontal picture of yourself on social media sites. A con artist can copy the image and use it to create a photo ID that can be used to steal your identity.
- If in doubt, don't post. Oversharing can give criminals the information they need to social engineer you into falling prey to a scam.
- Assume that everything you put on a social networking site is permanent. Even if you can delete your account, anyone on the Internet can easily print photos or text or save images and videos to a computer.
- Limit work history details on LinkedIn: If you feel you need the added information to help in a job search, expand the details during the job hunting process and then cut back later after you have a position, leaving just enough information to entice recruiters to contact you with interesting new positions. LinkedIn also offers some capabilities to restrict information. You can close off access by others to your network of contacts, something you don't have to share if you don't want.
- Avoid accidentally sharing personal details. Social networking sites make it easy to let details slip you wouldn't otherwise tell friends or strangers. Be aware of what information you put out there that others might use for nefarious purposes.