Ok, so there’s something wrong with my mail account. Someone is attempting to reset my password, I wonder what this is all about? Best to investigate right away, can’t afford a mail outage now.
This is how one of the most common tricks in cyber criminals’ toolbox starts. When making a list of essential cyber security skills, recognizing phishing is definitively near the top, if not number one.
So I’m going to walk you through a real-world case where a cyber criminal tried to hack one of my test accounts. I let him succeed, almost. From this we can derive what you need to know to recognize phishing attacks. And BTW, this is another “don’t try this at home” thing.
Phishing step by step
It starts with a mail about some problem with the account, which they of course just made up. Another alternative is a notification about winning in a lottery (that you can’t remember taking part in), or some kind of other benefit you can claim. This attack apparently targets user with a Microsoft mail account. The story is that someone else has initiated a password reset sequence, and this is your last chance to stop them from hijacking your account. Ironically, taking the bait would be the first step in the account hijacking. “Microsoft” is of course providing good customer service and offers a convenient link to log in and deal with the problem.
The link leads to a login page. It is a copy of Microsoft’s login, but runs from the cyber criminals’ server. Note the server’s address in the URL-field. They have added the word “secure” several times to make it feel, well, more secure. That means nothing in practice.
Here’s Microsoft’s genuine login screen as comparison. The copy is not perfect, but good enough to look legit and fool most users.
Oops, I have a problem. Firefox has built-in protection against fraudulent sites, and this one apparently got added while doing this research. But one can bypass these alerts and continue at own risk. Not recommended, but I’ll do it anyway.
We have been told to look for a green padlock next to the web address. It indicates a secured and encrypted connection to the server. Great, that sounds secure and cozy. Let’s click the lock and check who owns the server. Hey, it’s not Microsoft!
This appears to be one of the more advanced phishing scams. The false login page is checking what I enter and won’t accept an incorrect password. This is done by programming the server to forward the credentials to some real Microsoft service, and see if the login succeeds.
When the right password has been entered, one gets a message not to worry. The good guys at Microsoft make sure you’re safe. Great! At this point the crooks know the password to your account.
And here we go. About 45 minutes later we have guests from Nigeria. This is an empty test account, but I changed the password anyway after the attack. This is a good reminder that there’s a time window when you can repair the damage even if you entered your password.
How to recognize phishing?
All phishing attacks do not have all these attributes. But identifying even one or two should make you stop and think.
You unexpectedly get a mail about an account problem or opportunity to win something.
Time is short. You are urged to act promptly. That reduces the risk that the victim checks facts or thinks through it thoroughly.
Phishing always contain a link to the false login page. Hover your mouse over the link to see where it really takes you. In the case of phishing, it’s not the company the mail claims to originate from.
Check the sender’s address. It ends in “org.com” in the example case, while “microsoft.com” would have been the expected domain.
Address lists used by spammers often contain duplicates. Did you get several copies of the same mail? That’s another warning signal. I got four copies of this mail.
The mail does not contain any personalized info like “Dear Mr. Smith”. That’s because cyber criminals typically only have your e-mail address, not your full record.
You didn’t expect the mail. Clicking links in mails is safe, and mandatory, if you for example change your address and need to verify the new e-mail. But in those cases you initiate the change yourself and expect a mail.
Phishing is often sent blindly to a large number of addresses. It’s easy to suspect foul play if they claim you have a problem on a system where you don’t even have an account.
The mail may be in English even if you have set the account to another language. Or in your own language but badly translated. Cyrillic characters here and there (in non-cyrillic text) also smells fishy.
The mail’s overall layout and visual appearance may also be of a quality you don’t associate with large professional companies.
Remember that the correct logo, flawless language and professional appearance AREN’T a guarantee that the mail is legit. All that can be copied if the crooks just are professional enough.
What to do when suspecting phishing?
Here’s what to do if you get a suspect e-mail:
First, assume it’s a scam. Unexpected mails that ask you to login somewhere, for whatever reason, are to practically 100% phishing mails.
If you are still in doubt, go to the account in question, but NOT using the link in the message. Use a bookmark or type the address. You will be notified after login if there really is a problem.
If you have fallen for phishing anyway, but realize your mistake. Act quickly. Change the accounts password and look for a “secure my account” function. Many of the larger systems offer them nowadays.