CSO was recently targeted by a phishing campaign. In this how-to guide, Staff Writer Steve Ragan breaks down the elements of the email that were red flags to the team, and offers information to keep users in your organization from clicking, too, in the event that you’re targeted by a phishing attack
Each time an email arrives, for most us anyway, it is quickly scanned. Based on a few key elements within the message, the choice of what to do with it is made.
Check the address fields, subject, and look at the attachment(s)
The first area of focus that will determine what is done with the email is the address section. If the email is from someone you know, or from someone of importance (such as your boss), you’re likely to act on it. At the same time, this is also where the first question about the email should be asked; namely, do I know this person? If you don’t, this is the first red flag.
Subject lines set the tone for an email, and are the attention getters. This is where you learn, in most cases, what the email itself is going to focus on. Criminals know that they need to grab your attention, so they will use subject lines that invoke fear, invoke curiosity, or instill a sense of emotion or authority. When it comes to spotting email scams, remember the saying “never judge a book by its cover,” and ignore intent of the email’s subject — no matter what it says.
The address fields and subject area are often all someone needs to determine if they will act on a given message. However, even if these areas look good, there may be a problem.
Does the email have attachments? If the email has attachments, you’re likely going to want to open them and address them at some point, but the best advice is to stop and question them first. Were you expecting attachments from the person who allegedly sent the email? If you don’t know the person, then why are they attaching files? Even if you do know the person, why did they send the files if they were not expected? If you’re not expecting file attachments, then you should avoid opening them.
When the Phishing email sent to the CSO staff arrived; we questioned its legitimacy immediately. First, none of us had heard of the person sending the email (Pat Evans) or the company represented (Fiserv); the message itself is addressed to the main editorial team, but it was also addressed to email accounts that none of us had ever seen before.
Add to that the email’s subject, simply telling us that there is some sort of scanned file being forwarded, and you have a suspicious email. The straw that broke the camel’s back though was the attachment. The email had a ZIP attachment, which is a known potentially malicious file type. We’re trained to treat ZIP files at random as suspicious, but we do the same for other formats too, such as DOC, XLS, PPT, and PDF. It’s a good habit to form, as most email-based malware is delivered via common file formats.
Again, when faced with a message from an unknown person, with a questionable subject, and risky file type as an attachment, our awareness training tells us that in most cases, the email is a sham. Delete it and ignore it. At this point, I sent an email to my co-workers and instructed them to delete the message we had received and avoid the attachment. As a precaution, IT was alerted, because the email did make it past the anti-Spam server.
Examine the body of the message
So assume the address area checks out, and there are no email attachments. Does this mean the message is perfectly safe? No, in fact, spammers and criminals will use compromised (i.e. legit) email accounts to do their dirty work. So it is entirely possible that a phishing attack is sourced from a real company email account, and used company servers to propagate.
As mentioned, never judge a book by its cover. Just because the email’s addressing and subject looks good so far, doesn’t mean that all is well. This sounds overly paranoid, but these days, there’s good reason to be. For the staff at CSO, Phishing is a serious risk, and that was before groups of hackers like the Syrian Electronic Army started using phishing as a means to attack media organizations. To other organizations, phishing is just as serious, because once a criminal has access to an employee, there isn’t much they can’t do.
So the body of an email message is the second area of focus when judging the overall legitimacy of an email. It’s always best to read your email in plain text. If you’re not already doing that, or you’re not sure, ask the helpdesk (or someone in IT) how to do this, as it’s an easily obtained additional layer of protection.
One of the odd things about the phishing email delivered to CSO was the opening. It was overly formal. In our case, the opening was “Dear Business Associate,” this raised flags, because no one who normally contacts us would address us like that. Also, the body of the email read like a random news pitch. So such a formal opening was way out of place.
When reading the opening of the email, look at how it addresses you. If you know who sent the message, is this how they normally greet you in an email? Give the entire message a quick glance. Now ask yourself, how is it written?
What is the tone of the message? Does it make you want to do something? Is it asking for information or details that you’d normally hesitate sharing? Is it asking you to take an action of some kind? Is there a sense of urgency in the tone of the email, do you feel pressured or rushed? Does it invoke curiosity? If the answer to any of those is a yes, take a step back.
Criminals, especially when it comes to phishing, want something from you. It can be information, or for you to take an action, such as opening a file attachment or visiting a website. In order to do this, they will set the tone of the message to invoke one of the aforementioned mental / emotional states. More often than not, the message will come from a person of authority or from someone with a role of importance to you personally.
The message will contain instructions, steps you must take immediately in order to resolve some issue, or comply with a demand or request. This is why it is important to take a step back, because often a second guess about the email will defeat many of the tricks criminals use.
While scanning the email’s body, it’s also important to look for red flags such as typos, grammatical errors (missing verbs or adjectives), and overly neutral phrasing. Many criminals are not native English speakers, and their scams can be spotted because of it. Another item to look for is the use of universal time (0600 instead of 6:00 a.m.). Many criminals from Europe or Asia will use universal time as a habit, forgetting that most of the U.S. (military excluded) don’t use (or know in some cases) the 24-hour clock.
The phishing email to CSO requested that we open the attachment, in addition to offering a Website for “additional information.” This is a major red flag, and a key reason the email was treated as a scam by the CSO team. Again, it’s our professional knowledge, and our awareness training in action. We’re trained to be suspicious of email attachments in general, especially common formats, and we never follow links within a message that comes to us randomly.
Even though the common areas of the phishing email sent to CSO was enough for us to correctly see it as a scam and avoid it, when determining the authenticity of an email, the headers are a great source of information and worth discussing some.
(In Outlook 2010, the headers are part of the options area of the message ribbon (Tags). In other clients, you can usually right click on the email and select the options menu, and find the headers there.)