If you think that ‘I would never click that’ phishing email holds true for you, read here why you are
probably wrong and might be at risk!
Smart criminals are fooling you into believing you are clicking a honest email or text link, while in fact you are falling victim of their refined tactics.
Ask yourself, would you click this link? This is a clear example of a phishing email.
This is a clear example of a phishing email. Do the test below if you think you are immune to social engineering attacks.
There are in almost infinitive amount of possible ways phishing can trick you. In fact, around 27% of people fail social engineering (the word used describe the general subject of tricking another human being into believing something that is actually false) tests according to a report by positive technologies.https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Social-engineering-2018-eng.pdf
Do you think you are so IT savvy you would never fall for these tricks? or do you want to simulate how you would perform under a various of different attack vectors? Test you knowledge and enter the challenge below:
How did it go? Did you think the test was easy and found out it was actually quite hard? Did you score 100%? If you want to jump right to a smart little wizard that gives you excellent advise on when to trust and when not to. Use the model below:
Want to learn more about phishing and how it works? Read more below!
Phishing is a way of convincing you that a real company or person you know asks for something that is not actually true. This can happen with a variety of results in mind. Generally speaking these are the three types of results an attacker is trying to pursue:
The results are any of the following:
Data shows that the average click rate on email phishing is 3,4%. If you consider the amount of phishing emails that are send every day this is a massive amount of people. As it may appear you will want to understand what you can do to counteract any form of phishing to avoid becoming the victim of such an attack.
The reason why it’s so hard to spot an attack is because attackers try to exploit various shortcomings in the human brain called ‘cognitive biases’. This is a complex word to describe that our human brain has a few blind spot’s. We are prone to hundreds of such (small and big) quirks. The ones that are most exploited and some phishing text examples are listed below:
|Principle||Description||Phishing text example|
|Returning the favour (reciprocity)||Feeling obliged to repay favour. 'I do something for you, you do something for me.'||While we work hard to keep our network secure, we’re asking you to help us keep your account safe|
|Consistency||Behave in a way consistent with past behaviour and ideally the person has already committed too. Part of self-image.||'You agreed to the terms and conditons before using our service, so we ask you to stop all activities that violate them. Click here to unflag your account for suspension'|
|Social proof||Follow the majority. This is general human behaviour||'We are introducing new security features to our services. All customers must get their accounts verified again.'|
|Authority||Tendency to obay authoritive positions.||Best regards, Excecutive Vice President of <company name>|
|Liking||Liking people who like you. If you get a like, you are more likely to return the favour.||'We care for our customers and their online security. Confirm your identity .. so we can continue protecting you'|
|Scarcity||Feel the urge (fear of missing out) to not miss something scarce. This can be time, money or anything else.||'If your account information is not updated within 48 hours then your ability to access your account will be restricted'|
Can you see how the attackers skilfully crafted their wording to get a grip on one of the principles of human behaviour?
Want to read and see more examples or find out more about this subject? Find out more in this study by the Technical university of Eindhoven, NL.https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwir5Mzjg7HsAhUxMewKHRBhA_gQFjADegQIAhAC&url=https%3A%2F%2Fwww.usenix.org%2Fsystem%2Ffiles%2Fsec19-van_der_heijden.pdf&usg=AOvVaw1ZrLdA43pb69_35pasF673
Phishing is basically tricking you into an action that you do not want to take. Attacks come in all sorts of size and shapes. More about that below. First we explain how a typical attack works: See figure below for illustration from Cloudflare (https://www.cloudflare.com/learning/access-management/phishing-attack/)
How it works:
Take note that the attacker usually sends out the email to hundreds, thousands or even millions of email addresses. These are found by buying hacked email addresses or researching or hacking into email databases of the company that they are trying to mimmic. The more specific the contact details, the better the attack will work.
In other words, if the attacker knows you are a client of company x but not of company y and might even be able to find out who is in charge of (for example) the IT department of company x. The attacker will have much higher chances of succeeding when he will targets his attack exactly towards this combination of information. He will send out a email targeting only clients of company x with the email signature of the person that manages the IT department there. The more specific a attack becomes, the better it will work.
Are you willing to loose money? Access to your personal files? No? We also think so…
Typical types of information that criminals are after are the ones below. These should really concern you as it is common that they give access to a much broader base of information.
For example: If you use the same credentials for multiple websites or companies these can be used to reset passwords for payment agents like paypal.com, help on execution Identity theft, etc…
Phishing emails and texts come in different forms and types. Each with it’s own intent and setup.
“If you allow us to move a large sum of money through your bank account we will grant you 35% of the money for your service.”
The email asks for a ‘fee’ to process a transaction. An example of this is the ‘Nigerian Prince’ email. This is actually a very old technique that tries to ‘reward’ a person for doing something for the requestor.
|Bias||How to spot||Mitigation|
|This email takes advantage of the 'returning the favour' principle.||An old advice also holds true in this regard: If it sounds too good to be true: it is!||Don’t respond to request from people you don’t know. Even if it does not involve money.|
This attack should be mitigated by using the principle: If it’s too good to be true, don’t trust it!
“You need to do this now if you don’t want to loose’, your account with (insert big tech name here)!”
The attacker tries to create urgency by threatening that your account is going to be deactivated if you’re not loggin in. This type of email requests you to click a malicious link and/or give your login and password directly.
Sometimes this attack is so well constructed that it actually takes you to the legitimate version of the website you are asked to insert the details for. By doing so it’s very hard to recognise that you have been scammed.
|Bias||How to spot||Mitigation|
|This email takes advantage of the ‘scarcity’ principle||Genuine companies will almost never ask you to do something. When they do, login to their services and check if you have a message or even better, call them directly by finding their telephone number through a search engine query.||Don’t respond to request from people or companies you don’t know. If you do know them, do everything to check whether or not the request is valid by getting a ‘second source’ to tell you that it’s a valid request.|
This attack should be mitigated by never clicking a link in a email but instead surfing directly to the companies website through your internet browser and logging in via that route. This way you single out a possibly compromised link.
This email type takes advantage of the ‘Scarcity’ principle.
On a side note: this advice is hard to do when you get a ‘password reset’ email that you have requested yourself. It is typical for these emails to usually contain a link to reset passwords.
“Hi x, Please wire 22M to the following account below before noon. I need it for the deal with y, Your truly, Jeff Bezos, CEO Amazon”
With whaling the attacker tries to use the authority of the email sender’s to demand something from you. For example a fake email is created that is supposedly send by the CEO of the organisation to the CFO or a an accountant to wire money to a certain account, give credit card details or similar.
For this attack the social media accounts from the people involved are ‘scrapped’ and this information is entered in the email to create trust with the recipient.
|Bias||How to spot||Mitigation|
|This email takes advantage of the ‘authority’ principle.||Never trust requests to wire money or any related activities without verifiing.||Speak to the person directly to verify if he/she actually send the email.|
This attack should be countered by verifiing in person that the request is legit. The best way to do this is try to reach this person by a way that you know is safe and involves direct communication such as a personal or telephone conversation. Ask the requestor if the message is valid directly.
Prevention, defense and awareness
How to check for validity of a potential phishing message?
As you most probably don’t want to get scammed it’s important to check for validity. There is potential risk in anything you do with a computer, or other device connected to the internet so always beware. You’re first reaction to anything you have not requested yourself or is unexpected behaviour: dont’ trust it. Once you go into this mental state you are a much harder target.
When you think any of the following things. Be extra cautious:
Social engineering is the craft of manipulating human feelings like curiosity and fear to lure you into their traps. Therefore, be wary whenever you feel alarmed by an email, attracted to an offer displayed on a website, or when you come across stray digital media lying about. Being alert can help you protect yourself against most social engineering attacks taking place in the digital world.
There are many ways that the attacker might impersonate anyone or any company you know. Your first check should be: Do I know this person? If not, consider not interacting with the message at all.
Another good way of minimizing the change of receiving malicious email is using an email service that is ‘approve only’. It allows you to personally screen new incoming senders and reject them if you do not know them. You can only interact with emails after you have confirmed that this is what you want. Currently only ‘HEY’ offers this concept/feature. See screenshot below:
The hacker needs to take you somewhere to be able to convince you to enter data or perform a action. They will in almost all cases try to make you click a link that is malicious. So you should always be asking yourself:
The easiest way to check the actual link the click is going to take you is by looking at the bottom left part of the screen of your internet browser. Can you spot where it is?
The reason this is so important is because there is a possibility that a link is masqueraded as another link by using programming language. See below examples of links to Google.
The two look identical, but the actual destination link in the first example is
To navigate safely around the internet, you need to understand that a URL consists of the following 4 parts:
If you know how to check where the link will take you. It’s our strong advice to check the following points before clicking:
|Does the URL start with anything else then https:// ?||Don’t click the link! And if anything if you are ever on a website like that, never enter any personal information!||http:// links do not have a security certificate (SSL) in place. This means data to this website can be intercepted by anyone.|
|Find the ‘domain’ part of the URL. This is the last part before the last “.”||Compare it with the company name or website you want to go! If this does not match: Don’t click the link!||This part is the actual address the link is taking you. The part before can be constructed or used to misguide you.|
|Is a URL shorter service used? Examples: Bit.ly, Cutt.ly and TinyUrl.||Don’t click the link!||There is no way of knowing where the link might take you unless you do a complicated lookup. Best not to trust.|
Another, more advanced trick hackers use is to mimic a letter with another (unicode) character that looks just like it. See following example:
Visiting this page on Firefox web browser leads to the following website:
The reason this domain looks 100% identical to the real domain is that the attacker (in this case the poster of the blog post about the vulnerability) is that the browser translates the ‘Cyrillic "а"’ used in the domain into the regular ‘a’ when it displays in your browsers address bar
Another trick that hackers use is the masking of URL’s through url shortening services. Some examples of these are Bit.ly, Cutt.ly and TinyUrl. There are many more but they have one thing in common. The Urls that they produce don’t match the original domain of the company that sends you the email. Look at the examples below:
Find the link address by hovering your mouse over the hyperlink. All internet browsers show you the ‘destination’ url. If it does not contain the companies domain name, don’t click it!
Behind the first URL might be any destination. There is no way to check. So best you avoid URL’s like those altogether.
Don’t get fooled by the file type. Any file type can be malicious. Even .PDF files or cute cat or dog photo’s.
Desperate to open a .pdf or image file? Use your browser or an online cloud like Google drive or Dropbox instead of opening the document on your computer. This way the document ‘runs’ in a different environment than your physical device (phone, computer)
The website you visit looks exactly like the ‘real’ one. The attacker created a duplicate website to steal any information you enter. You may be brought to this site by clicking an email hyperlink, forum post, messenger app link or even a search engine result.
To mitigate this type of attack, you can do the following two actions:
1. Check the domain name. The only reliable way of checking any website is through checking the exact URL link. This hyperlink should be exactly same as the one you know for this site. If you are in doubt, call the company and ask for their website link.
2. Check the SSL certificate. A basic check before visiting any site should be that the site has a SSL certificate. You can quickly check if this is the case if the website has a logo with a lock in the corner before the url of your browser. See examples below. This logo displays the fact that the website has a valid ‘SSL certificate’. This means that the information between your computer and the website that is exchanged is encrypted. If a website does not have this lock or flag, do not enter any personal information regardless of the situation.
You can also go as far as checking if the domain name SSL certificate is registered to the actual company. There are many guides out there that will tell you how to do this for your particular browser.
3. Double check.Once you are on the website and you have checked the domain name there is usually only one more thing you can do to keep yourself safe: ‘use your common sense’. As you read previously in this article, criminals use deceptive language to trigger you to take a certain action. If you read the website and find the layout, or maybe the wording a bit strange and feel the ‘urge’ to do anything, stop and reconsider. Better to do a double check first. Search for ‘reviews’ of the website with the words: ‘scam’, ‘phishing’ or ‘phishing attack’. Often you are not the only one being targeted and somebody else already reported about it.
If you really think that the attachment of a email is real and not a form of malware, spyware, ransomware or a keylogger? These are the steps you can take to decrease risk:
4. Other easy measures you can take to minimize the threat-model is by checking the so called PGP key signature of a download. This is excellent practice but too complicated for most people.
User credentials are often the target of phishing. You should protect yourself by enabling ’2 step authentication’, also known as ’2 Factor Authentication’ or ’2FA’ on all accounts that allow it. This setup is basically an extra layer of security. The usual setup:
The app on your phone generates time specific codes that you need to enter when loggin in to a service that has been setup with 2 factor authentication. This setup allows you to defend yourself even if some of your personal information like your user name and password are compromised. Without access to your phone the attacker cannot enter the account.
Popular apps to setup 2FA on your Android or iOS phone are:
It’s also possible to use dedicated devices for 2 factor authentication. Some of the more popular are:
It’s important to note that you should avoid ‘SMS 2 factor authentication’ if possible. This is because SMS and the protocol behing it is not build to handle sensitive information and can be hacked relatively easy. If your account or service has a 2FA option. Use an app on your phone or hardware device if possible. Only settle for SMS if no other option is available.
There is nothing more effective as incident prevention. To do phishing prevention you essentially minimize the effect vectors that a malicious entity has on you. These are relatively straightforward to do but hard to maintain the discipline for:
Other ways to work on prevention are tests and trainings. Unfortunately these are hard to come by for free. So we made one. Scroll up to the top of this page to take the test!
Or take the one from Google here (https://phishingquiz.withgoogle.com/)
32% of data breaches involved phishing according to the Verizon Data breach investigations report (DBIR). Out of which most attaches (96%) involve email phishing. Only 3% of attackers used a website and a mere 1% uses text messages. The average click rate on email phishing is 3,4% but the level of sophistication is rising sharply!
37.9% of Untrained Users Fail Phishing Tests
The most worry some fact is that 37.9% of Untrained Users Fail Phishing Tests KnowBe4, one of the industry’s leading cyber awareness training organizations, states in their 2020 Phishing By Industry Benchmarking Report that nearly 38% of users who don’t undergo cyber awareness training fail phishing tests. Knowing that only 1 in 5 organisations perform these tests monthly, there is a lot of ground to cover still.
With term the general activity of the attacker gathering specific data about you or your company and aiming to utilize that specifically for your case. 90% of all phishing attacks work this way. The more specific the targeting, the higher the succes rate of the phishing attempt.
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous.
They obtain these pieces of information off stolen or publicly available locations. Check for yourself by googling your own name:
With clone phishing the attacker creates an identical copy of an email that they know or suspect to come from a legitimate source and change the links or attached files to trick the victim. Opening these links the will infect your computer or take you to a malicious website. See ‘Website forgery scam’.
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information.Wikipedia
Social engineering happens because of our human instinct of trust. Cybercriminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network. They do so by utilising any or a combination of the following human behaviours:
There are 4 main attack vectors:
Baiting is a ‘false promise’. It involves offering something in exchange for login information or private data. The ‘Bait’ can be anything. A free download, a discount code, a free sample or sensitive or valuable information. If you download the bait malicious software in the form of spyware, malware, randsomeware is installed on your computer. This will allow the hacker to get to their target.
The bait can also be something physical. For example a ‘left or forgotten’ USB thumb drive. Attackers will make it look as authentic as possible so the chances of you recognizing it are slim. Instead, focus on the rules for phishing: ‘Did you request this?’ If the answer is ‘No’. Then it’s probably wise not to trust the device.
Also known as impersonation. Essentially the physical form of phishing. Pretexting is when a hacker tries to create a relationship with the target by impersonating somebody else. The intent of this attack is to gain access to sensitive information or funds.
This form of attack is highly effective as the trust bond between the target and the person being impersonated is already there. For this reason your guard is already very low and you do not expect the attack.
As the name already gives away, this attack is focussed around scarring its victims to motivate them to perform a specific action. We all know the pop-ups that appear on some websites or in emails with messages like ‘Your computer may be infected with harmful spyware’. These messages are always fake so don’t bother interacting with them
Google has a nice repository of scams that are associated with them on this page:https://support.google.com/faqs/answer/2952493?hl=en
The university of Berkely has an excellent repository of phishing examples. Feel free to look through them below and check if you would have spotted that it’s malicious.https://security.berkeley.edu/resources/phish-tank
We really like your opinion on Thinkbase. Please share anything you would like to share via below form!