What is Phishing: 5 Signs of a Phishing Email - Exabeam

What is Phishing: 5 Signs of a Phishing Email

Published
July 15, 2021

Author
Orion Cassetto

What does phishing look like? Here are the top 5 ways to vet a real email from a phishing email.

What is Phishing?

Phishing is a cybersecurity threat and a type of social engineering tactic, aimed at collecting private information on the internet. Phishing scams are typically based on fake websites (emulating financial or eCommerce websites), with URLs that are manipulated to resemble the web address of the real website. 

A phishing email may attempt to create a sense of urgency (for example “your account expired”, or “regarding your recent purchase”) or may offer a reimbursement or other positive benefit to a large number of internet users. 

In the body of the message, the attacker often invites users to visit a form that seems specifically hosted by the legitimate organization, which requests the user to provide their personal data, often of a financial nature. During the whole procedure, the victim believes they are interacting with the official website of a trusted entity.

Phishing emails may also be accompanied by an attachment, commonly presented as an invoice. The message is written in such a way as to encourage a user to open it, causing the attachment to execute and infect the machine with malware.

In this article, you will learn:

Phishing attacks examples

Email has evolved over the years, and advances to email technology are also making phishing attacks more sophisticated, more attractive to attackers, and harder to detect.

Related content: read our guide to cyber crime.

Classic phishing email

“Classic” phishing emails are still responsible for the majority of catastrophic data breaches worldwide. A phishing email appears to originate from a trusted source, typically one that holds sensitive data or has a financial relationship with the user. It encourages the user to divulge private information, either in reply to the email or by means of a web form.

Spear phishing

Spear phishing attacks are sophisticated, highly targeted versions of phishing, which targets valuable targets, such as network administrators or accounts managers at organizations. 

Spear phishing campaigns depend on data collected by cybercriminals about the victim or their employer. Spear phishing emails often address the user by name, and use language that is immediately familiar to the victim, to encourage them to take immediate action.

A type of spear phishing, known as “CEO fraud”, involves an email sent from an email address known to the victim, such as that of the CEO, HR manager, or IT support. The email asks the victim to take immediate action, for example, to transfer funds, update employee details, or install new applications on their computer.

Account expired / change password

In a change password attack, cybercriminals send phishing emails with links to fake websites, such as mobile account login pages of well-known email providers, asking victims to enter credentials and other information, supposedly to reset their password or because their account has expired. Malicious websites use subtle modifications of known URLs to confuse users (for example, mail.update.provider.com instead of mail.provider.com).

Wi-Fi twin

This attack involves spoofing a Wi-Fi access point. The victim unknowingly connects to the wrong Wi-Fi network, and exposes their Internet communications to the attacker, including passwords and other sensitive data. Fraudulent Wi-Fi can be deployed by attackers in coffee shops, airports, hospitals, shopping malls, parks, or public meeting rooms.

Mobile phishing (smishing)

In a smishing attack, attackers send an SMS, social media messages, voicemail or other type of message, asking the user to take action like updating their account details, changing their password or take action because their account is compromised. When the user clicks the link contained in the message, they are taken to a malicious site or malware is installed on their mobile device.

Man-in-the-middle

In this sophisticated email phishing attack, the attacker intercepts email communication between two people, and sends each of them emails, which appear to originate from the other person, but are actually from the attacker. The emails might request the recipient to share private information or perform other actions, and the victim may comply, thinking that the email originated from a friend or colleague.

5 Signs of a phishing email

All internet users, especially those using company equipment or have access to sensitive data, should be able to identify suspicious emails in their inboxes. Below are six common signs that can help your users identify a phishing email.

1. An unfamiliar tone or greeting

When reading phishing messages, look for improperly used words. For example, a colleague sounds very familiar, or a family member sounds very formal. If the email sounds strange, and does not use the language you’d expect from the sender, it is a good idea to look for other indicators that it may be fake.

2. Grammar and spelling errors

Spelling mistakes and poor grammar are common indicators of phishing emails. Most companies use professional copywriters, or at least a spelling checker, to review official emails before sending them. Therefore, emails sent from professional sources should be free of grammar and spelling errors.

3. Inconsistencies in email addresses, links and domain names

Another easy way to identify potential phishing attacks is to look for discrepancies between the email address, link, and domain name. For example, it is a good idea to verify previous communications that match the same email address (you may find previous emails from the same organization came from a different email account or domain). 

If a link is included in the email, first mouse over the link to see the destination URL. A sure sign of phishing is that the domain used in the link does not match the company who supposedly sent the email. For example, the email is from Amazon, but the link does not go to amazon.com.

4. Threats or a sense of urgency

Emails that warn the recipient about something negative are immediately suspicious. Another strategy used by attackers is urgency—encouraging or demanding immediate action, in the hope that the user will act quickly and won’t have time to fully investigate the content of the phishing message. Any type of threat or urgent request should cause a user to stop and investigate the email more closely.

5. Unusual request

If the request made in the email is uncommon, the email may be malicious. For example, an email from a CEO requesting to transfer funds urgently, without going through the regular payments approval process. 

Best practices for preventing phishing attacks

Train your employees

One of the most effective ways to prevent phishing attacks is to facilitate secure communication practices in an organization. By giving employees a good understanding of the consequences of a phishing attack, they can learn to prevent even the most sophisticated phishing attack.

A strong anti-phishing training program should include compliance training, materials to promote awareness, and continuing education. Keep educational content up to date and engaging, using videos, infographics and other tools.

Use a phishing fire drill

More and more companies test their employees by running a fake phishing campaign. Testing can feel invasive or make some people uncomfortable. But if implemented correctly, you can manage the sensitivity and avoid negative reactions. A realistic “phishing fire drill” is the best way to make employees aware of the impact of an attack, and discover weak points in your defenses.

It is important to perform testing in a constructive manner. The objective is not to point fingers at employees who are not acting securely, but to educate and encourage employees to adopt secure practices. 

Provide meaningful feedback to employees who do not pass the test, hold a training session to review the phishing message as a group, and help employees understand what went wrong and what they can do to catch a real attack. Perform drills frequently, as often as once a month, if possible.

Use multifactor authentication and consider passwordless technologies

Multi factor authentication (MFA) is an additional measure that can have a big difference on phishing attacks. MFA uses additional methods of authentication besides passwords, such as a one-time password sent to a mobile phone, requiring a physical security token, or using a biometric ID. This means that even if attackers coerce users into divulging their passwords, the password will be useless to the attacker without the additional authentication method.

Phishing detection and investigation with Exabeam

Social engineering attacks like phishing will inevitably happen, so you should ensure your organization has the means to rapidly collect data about security incidents, identify what is going on, and notify security staff so they can take action. 

For example, the Exabeam Security Management Platform is a next-generation security event and information management (SIEM) system powered by user event and behavior analytics (UEBA). Exabeam collects security events and logs from across your organization, including email security, and uses UEBA to identify normal behavior, and alerts security teams when suspicious activity occurs. 

Whether it is a user clicking through to an unusual web destination, or a malicious process executing on a user’s device, UEBA can help you identify social engineering attacks as they happen, and rapidly react with automated incident response playbooks to prevent damage.

Learn more about phishing

Learn more in our series of articles about phishing attacks and prevention:

Securing Your Remote Workforce, Part 1: Detecting Phishing Scams Disguised as Updates

With more teams working remotely, the shift to meeting and collaborating online in a cloud-based work environment is a learning curve for most security organizations. In this post, we look at how cyber criminals are building out phishing and other targeted malware campaigns and successfully executing them for financial gain, notoriety or theft of IP for competitive advantage.

Read more: Securing Your Remote Workforce, Part 1: Detecting Phishing Scams Disguised as Updates

Political Campaigns and Phishing: Five Things Campaign Staff Can Do to Stay Safe

With experts citing security breaches, particularly phishing, as a top concern for elections, it’s more important than ever that campaigns find ways to protect themselves. The right software can detect suspicious activity and alert security teams, but your team should also avoid inviting the activity in from the start. Learn about five things your campaign team can do to protect your data from malicious activity.

Read more: Political Campaigns and Phishing: Five Things Campaign Staff Can Do to Stay Safe

A Machine Learning Study on Phishing URL Detection

Many network attack vectors start with a link to a phishing URL. A carefully crafted email containing the malicious link is sent to an unsuspecting employee. Once he or she clicks on or responds to the phishing URL, the cycle of information loss and damage begins. Our goal is to flag a suspicious phishing URL previously unknown to blacklist data providers. Machine learning offers a solution used for such a prediction task.

Read more: A Machine Learning Study on Phishing URL Detection

How to Investigate a Phishing Incident

Phishing remains the most common and successful way for cybercriminals to steal data. This video shows how to conduct a phishing incident investigation using a legacy SIEM vs. a modern SIEM.

Read more: How to Investigate a Phishing Incident

Recent Information Security Articles

Ransomware: Prevent, Detect and Respond

Read More

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Read More

What Are TTPs and How Understanding Them Can Help Prevent the Next Incident

Read More

Five Steps to Effectively Identify Insider Threats

Read More

Detecting the New PetitPotam Attack With Exabeam

Read More



Recent Information Security Articles

Exabeam Fusion XDR and Exabeam Fusion SIEM now available in Google Cloud Marketplace

Read More

Cloud SIEM: Features, Capabilities, and Advantages

Read More

Ransomware: Prevent, Detect and Respond

Read More

MITRE ATT&CK Update Covers Insider Threat Attack Techniques

Read More

Exabeam Adds Automated Incident Diagnosis to Speed Investigations

Read More