This an updated and expanded version of advice that I’ve given many times in blog articles, white papers and conference papers. I’m not resurrecting it with reference to any particular phish (though I’m seeing an interesting selection of Apple-ID-targeting phishing mails at the moment), but because in the course of a conversation I had on a social media site, I promised to generate an update: sadly, there’s a continuing need for (hopefully) reliable advice on phishing.
Note that phishing is by no means restricted to email messages, but most of the advice given here also applies to other messaging media such as direct messaging in social media and instant messaging applications. Then there are telephone scams, but they probably deserve an article of their own, given the range of unpleasantness they cover.
The hope here is that the advice given here will make it a little easier to recognize a probably phish message. It’s probably inevitable that I’ll offer more information than some people will want – it’s an occupational hazard among security professionals – but there’s a summary of the most important points in the Conclusion. However, the more detailed content should be of use to people and organizations using this material as the basis for educational and training initiatives, for instance.
Good Security Measures are Never Perfect
More often than not, the scammer knows that there’s a good chance that the message will be scanned by security software – sometimes by multiple applications (anti-virus, spam filtering, packet filtering, attachment filtering and so on) – for malicious content, malicious links and so on. If your mail provider does sound filtering you may hardly ever see workaday spam and phishing: Gmail, for example, is very good at diverting such things to a junk folder which you may never look at.
Maybe you should, occasionally, though. Automated filters can be overprotective, hiding messages you would really have liked to see, as well as letting through messages you really wouldn’t want to see if you had a choice. As was brought home by a somewhat different problem, to err is human, but to trust unequivocally in a complex algorithm – even a well-thought-out filtering application – is indescribably naïve. Computers may not make mistakes – at least, not in the same sense that human beings do – but computer programmers do, because even the best of them can’t take into account every possible circumstance. Your security software may not insensitively remind you of a recent tragic event, but it can overlook a malicious message and overreact to something innocuous: both good reasons not to assume that you are immune to the actions of criminals because you have security software. Your own awareness and knowledge should be part of your defensive strategy.
Security is Technology and People
Sometimes, then, a human being can be better at phish philtering (sorry) than automated detection of ‘suspicious’ messages by an application, but always remember that a scammer may well be more adept at manipulating a victim directly by psychological means (social engineering) than at (mis)using technology in some way. Common sense can get you a long way in determining whether a message is genuine or not, but sometimes it’s not enough. (In which case the commonsense rule is to assume that if you can’t be sure, assume the worst.)
Often, when it comes to information technology, a sensible and rational person is disadvantaged by a lack of techie knowledge: not everyone is obsessed with bits and bytes. (So I hear…) Which is exactly what tech support scammers (for example) rely on. Phishing is another activity that relies on victims who aren’t well-enough informed to distinguish between phish and phowl. My intention in this blog is not to turn victims into experts on reading mail headers or to offer a short course on criminal psychology, but to give enough information to enable them to sidestep some of the traps for the unwary.
All malware is targeted…
…it’s just that some malicious programs target more people than others. But whether or not malware is directly involved, catch-all scam messages have a basic flaw.
Most phishers know nothing about you. (We’re not talking about spear-phishing, targeted malware, APTs and so on here. In those instances, the malefactor has often done some research into the targeted individual before they make the first approach.) However, phishers generically targeting bank and credit card users, application marketplace account users, consumers of civic services and so on, normally take a scattergun approach, firing off volleys of messages in the hope of hitting the occasional target who is both a user of the service they’re pretending to be, and unwary enough to fall for the con.
- Email sent apparently from a provider you don’t use is obviously suspicious, though it’s surprising how often people ask whether a message they’ve received is a phish even though it’s from a banking or other service that they don’t use. Mistakes do happen, and you might, I suppose, receive mail intended for someone else. If you think this might be the case and you do intend to do anything about it, remember that the likelihood is that it’s a scam, and proceed accordingly. In other words, if the message includes an attachment or a web link to which you can respond, assume that they are malicious. It’s very common for malicious software such as ransomware to be distributed with a message along the lines of “Thank you for spending $650 dollars with us. Please open the attached document for further information.” Whereupon the attachment turns out to be some sort of Trojan. Don’t click on the attachment or link: contact the company using a telephone number, email address or contact form from a web site or other source of information that you know to be genuine.
- However, if you receive email apparently from a services provider that you do use but at an email address that you never use when you contact that particular bank or service, consider that equally suspicious. You can actually use this possibility as a way of increasing security. A potentially useful precaution is to create a separate email address (most ISP’s will allow this, but you could also use a service such as Gmail to create extra accounts), with a unique name, e.g. (mybanking.email@thedomain.com), and use that address exclusively for that activity, never publishing it anywhere or using it to send email for other purposes. This will provide an easy way of checking that it was sent to you at a correct address. Bear in mind, though, that this isn’t a guarantee in itself that the message is genuine. Even if you never use the address for any other purpose, it’s possible that the address will fall into the hands of scammers. Even if it doesn’t, criminals can and do use software to auto-generate addresses that might or might not exist. They don’t really care if some of those mails don’t go anywhere, because they don’t pay postage and they don’t see bounce messages.
- If you do have an account with the institution apparently sending it to you, but the message isn’t personalized – that is, addressed to you using your own name or a specific identifier such as a verifiable account number – regard it as highly suspicious. Greetings like “Dear Lloyds Bank Customer” or “Dear eBay User” suggest that the sender is trying to catch anyone who happens to receive the mail, and they have no idea who you are or whether you really do have an account or business relationship with Lloyds or eBay. If the identifier is one of your email addresses (e.g. “Dear henry056@hotmail. com”, that is equally suspicious. It’s trivial for the scammer – or rather his software - to insert the targeted email address into the message, and you should assume that mail that ‘knows’ nothing about you but your email address – even though you have a relationship with the apparent sender – is not genuine (or at best spam).
- However, if a message does include your real name, that isn’t a guarantee that it is There are many ways of obtaining that information. In fact, sometimes it can be harvested from your full email identifier, without any need to find it out from other sources. If you do have an account identifier, especially a numeric or alphanumeric identifier – and if you don’t have such an identifier, maybe you shouldn’t be using the service – you should check it. For instance, it’s common for eBay phishes to include tags like “Your registered name is included to show that this message came from eBay,” without actually showing the registered name, or it might even use a made-up identifier in the hope that you won’t notice.
- Bear in mind that the fact that a message does indicate that the sender knows your personal details isn’t unequivocal proof that it’s a genuine message, either: it’s not unknown for data to be leaked from a service provider that don’t include login credentials, but do include enough information to enable them to send you a message.
- Reading message headers is a dark art requiring years of study at Hogwarts and a Ph.D. in the Dark Arts. Well, not really. But it’s pretty intimidating for people who aren’t well acquainted with the esoterica of messaging technology. However, here are a couple of things to watch out for, that don’t require you to read the full headers.
- If the mail doesn’t seem to be addressed to anyone, it was blind copied to you and, probably, any number of other people. Don’t trust it: if it deals with sensitive data, you can probably assume that the sender doesn’t know that your ‘unique’ message is actually being sent to multitudes of other people at the same time.
- It may seem to be addressed to someone else, including the apparent sender of the mail, or to a generic name such as “customer” or “clientlist.” This is sometimes appropriate for mail sent to many people, especially if the blind copy field is used to preserve their privacy. However, where the message concerns sensitive information such as banking data, it shows an inappropriate lack of personalization: assume it’s a fake.
But it’s from my bank!
If you receive email apparently from an institution with which you have a business relationship (say your bank, eBay, or a tax office) that doesn’t mean that you should accept it unquestioningly.
- If the message requires you to authenticate yourself to a web site and it’s not the sort of mail you’d expect to get from them, it’s suspicious. Security warnings are actually particularly suspicious: email advising you that your account has been compromised is a common phish type. A telephone notification can also be malicious, but it may be easier to ascertain whether it’s genuine: at any rate, it can’t be purely random, and there are ways of verifying such as calling back a known valid number (for instance, the number found on an account statement).
- Even if you are reasonably sure that the mail is genuine, do not click on an embedded URL directing you to a login page. If you have a pre-existing relationship with the organization, for instance if you already do e-Banking with them, you should already have a standard login procedure: use that rather than responding to a possibly random email. If you need to contact them by phone, avoid using phone numbers included in the message. Just as web sites can be spoofed, so can telephone numbers. Use the telephone directory or another trustworthy resource such as an account statement.
Behind the Camouflage
A particularly common trick (but also a clear indication of malicious intentions if you spot it) is an embedded URL that looks legitimate but has been modified to hide the real target. URLs can be obscured in many ways, though modern browsers have been updated to counter many of the camouflage techniques of yesteryear. However, if inspecting the source code for HTML mail or even passing the cursor over the URL shows a mismatch between the apparent site name and the target URL the browser actually sees, this is very suspicious. Suspicious, but not conclusive: many large organizations, including the big banks, use multiple domains for various purposes, and some outsource mail and other services to external companies whose domains don’t appear to have anything to do with the provider. Unfortunately, this is one of the practices that make the scammer’s life easier, but it’s a practice too firmly ingrained in modern business to expect it to be discontinued any time soon. Here are some other tricks used by scammers and spammers.
- Using a domain that looks like a known real address but is slightly and inconspicuously different. A simplistic example might be something like IIoydsbank.com, where here I’ve substituted a capital I for each of the two Ls at the beginning. A common variation today is to use a homoglyph: in the Unicode character set there are many characters that look to the casual eye (at least in some fonts) very much like others, but are for purposes of identifying a web address completely different. In the following representation of the ESET domain ‘welivesecurity.com’, ωϵІіѵєѕєсᴜᴦіțу.ϲοᶆ not one character is actually the US-ASCII character it resembles. Sitting there surrounded by standard Latin characters, the word looks quite odd (especially as the CMS doesn't allow me much flexibility with the font size or character set), but what if it was just one character different with a carefully chosen font and font size? For example, welivesecurity.cοm. (In this case, that 'o' is actually an omicron.)
[Added 9th January 2015. Here's a suggestion by Bruce Burrell: try pasting those two bogus welivesecurity.com URLs into Notepad (Other Text Editors Are Available), then search for the letter 'o'. This one - ωϵІіѵєѕєсᴜᴦіțу.ϲοᶆ - looks pretty odd, but this one - welivesecurity.cοm - is a lot sneakier. Paste it in then type the correct domain name in below it. Can you see the difference?]
- Typosquatting is procuring a domain name that might be typed accidentally by a victim trying to reach the real domain: for example, wellsfurgo.com. Of course, phishing isn’t the only reason for typosquatting. In fact, a bank (or other company) may try to buy up as many as possible of the domain names that might be used by scammers and other malefactors, including names that could be typed in error, but it’s practically impossible to predict all such variations. And then there are all the names that sound convincing because they include the bank’s name, but which they didn’t think to reserve: URLs like my[nameofbank].com or my[nameofcreditcard].com are certainly used, but are they all genuine?
- It’s perfectly possible in a number of ways to ‘spoof’ URLs so that they look like the real thing, but if you click on them they’ll go to a malicious site. Here’s a very simple example: nice-site.co.uk. Another technique for concealing malicious links is to set up a series of redirects from one harmless-looking site to others that aren’t so harmless. It’s possible (and common) for a legitimate site to be compromised in some way so that it includes malicious links. It isn’t even necessary for the site to be ‘infected’ for the scammer to introduce such deliberate misdirection.
- One common technique for hiding the URL to which the link will eventually take you is to use a URL-shortening service, including legitimate URL shorteners like TinyURL, bit.ly, t.co and so on. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. You cannot take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. Indeed, spam tweets containing a short link to a spammy or unequivocally malicious site are all too common.
- There’s even more risk when you find a shortened link in a message you receive by email, instant messaging, and so on. It’s worth remembering that when a message that isn’t restricted to the 160 character maximum of an SMS text message – Twitter reserves 20 characters for the user address, so the effective maximum for a tweet is 140 characters – there’s rarely a real need for obsessive trimming of message length, so you might well wonder whether a shortened URL in such a message (or a blog article, or a Facebook message) might be hiding something unpleasant. However, it’s not always the case. For example, it’s not unusual for services like Tweetdeck to post a single message not only to several Twitter accounts, but to Facebook. In such a case, a link automatically shortened for Twitter will also appear shortened on Facebook.
- LongURL [http://longurl.org/] lets you see the expanded version of a shortened URL before you go there. TinyURL will let you do this for tinyURLs. However longurl.org can expand URLs from a long list of other URL shorteners – see http://longurl.org/services.
- [Added 9th January 2015: Bruce Burrell points out that when he tried longurl.com on an adf.ly redirector it said there were zero redirects, which isn't actually the case. Moral: while URL decryptors may be a good idea, they're not infallible.]
Dangerous Liaisons and Dubious Attachments
Sometimes the real danger is in the attachment, which may be some form of Trojan or contain malicious links that aren’t present in the message. Security software is often cautious about attachments, and may even want to block all attachments, which is pretty safe but rather inconvenient for most of us. While good security software is actually more effective than competing sectors of the security industry might want you to think, malefactors continue to look for new approaches to slipping malware past the eye of the victim and the scans of security software.
You may think that the age of macro malware is long gone, but that’s not exactly the case. Targeted malware and so-called APTs continue to use documents rather than unequivocal program code as a vector, and it’s certainly not unknown for untargeted malware to take similar approaches, though it’s still the case that higher volumes of specific malware tend to be detected earlier by a wide range of security products.
Don’t Be Panicked into a Bad Move
One of the weapons in the phisher’s armoury is to present the ‘problem’ that requires you to log in as requiring urgent resolution (“You must log in within 24 hours or your account will be terminated for security reasons.”) This variation on a well-known sales technique (“Offer only lasts till the end of today!”) is intended to panic you into responding. Apart from increasing the pressure on the victim, it also works to the advantage of the phisher, who often needs an urgent response before law enforcement and other countermeasures are put into place, security software starts to detect a new threat, a malicious URL is identified and blocked, and so on.
Conclusion/Summary
The notes above refer to indicators of possible malice: they don’t in themselves usually constitute absolute proof of guilt or innocence on the part of the sender. They do, however, give you some idea as to whether it’s safe and sensible to go clicking on things without further investigation, especially if several of those indicators are to be found in the same message.
1) Does the message really show that the sender knows anything about you, let alone that you already do business with him?
- Competent service providers don’t send such messages addressed to ‘Dear Customer’ with no personalization to indicate that they really know who you are. Don’t fall for any spurious ‘personalization’ such as a meaningless and unverifiable reference number, either.
- If the message does include personal data, bear in mind that it’s not unequivocal proof that it’s genuine.
2) Expect the worst from attached files and embedded links.
- Competent service providers don’t send messages requiring you to log in via an embedded link, even if they do provide adequate personalization. If they do, (a) check the link independently with a known-good source (b) consider switching to a provider with a clue about security.
- Don’t trust unsolicited files or embedded links, even from trusted businesses and friends. Even a security expert might make a mistake and leave an undesirable link live in a message or article It’s easy to spoof e-mail addresses, for instance, so that an e-mail appears to come from someone other than the real sender. The nature of the 21st-century Internet means that there are many ways a message can conceal or disguise the identity of the sender. It’s also possible for mail to be sent from an innocent party’s account without his or her knowledge. If you’re in any doubt at all, check with the apparent sender. (If you mail or phone them to check, don’t use links or phone numbers given in the message: use contact details that you already know to be correct.)
- Don’t assume that links, telephone numbers and email addresses embedded in messages are correct, and don’t assume that a web link will take you to the address you can see. There are many ways to disguise a harmful link so that it looks like something quite different, whether it’s in e-mail, chat or whatever. The sophisticated ways in which malicious links are sometimes disguised in phishing e-mails so that they appear to go to a legitimate site has forced developers to re-engineer web browsers to make it easier to spot such spoofing. (Early phishing e-mails tended to rely on exploiting bugs in popular browsers to hide the real target link.)
3) Take elementary precautions
- Don’t forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up. In some cases, though, the link that shows up that way is just the first in a series of redirected links, making it impossible to validate the ‘final destination’ without traversing the entire chain. In any case, it’s not always easy to distinguish a genuine site from a fake site just from the URL, even if the URL is rendered correctly. DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under the attacker’s control.
- Regard shortened links with extreme prejudice.
4) Don’t let threats get to you
Don’t be panicked into reacting straightaway and without due caution by threats to suspend or remove your account (for instance) within (say) 24 hours. Most companies are not in such a hurry to alienate a good customer.
5) Don’t be click-happy
Don’t forget that just because you’re running anti-virus and other security software, that doesn’t mean that you can click indiscriminately on the assumption that your software will detect all malicious code and websites: no self-respecting security researcher or developer will claim that his or her software will detect all malicious code, known and unknown.
6) Don’t fall for slick presentation
The kind of crude, text-only phish (usually written in bad English) that we saw a few years ago is far rarer today, but the basic form of the attack hasn’t changed much: only the quality of the social engineering and the far more professional presentation.
However, the attack surface and range of vectors have broadened considerably: whereas most phishing attacks used to be delivered through email, we now see other forms of messaging exploited, such as SMS (texting), social media like Facebook and Twitter, even voicemail. And whereas phishing-related malware is still mostly Windows targeting, attacks that rely purely on social engineering and fake web sites might be delivered by any platform, including smartphones and tablets. The more cautious you are, the better informed you are, and the more you think before you click, the more chance you have of leaving phishing craft stranded.
More Information
Finally, here are a few ESET papers and blogs on phishing:
- A Pretty Kettle of Phish: a paper on phishing.
- The Spam-ish Inquisition: a paper on spams and scams
- Online Shopping and a Phishing Pheeding Phrenzy: an earlier series of blog articles on phishing.
- Phish Phodder: Is User Education Helping or Hindering? A paper on phishing quizzes and educational measures.
- Phish-related ESET blogs.
- Simulated (harmless) phishing site. No honestly, it is. Trust me. I'm a consultant.
ESET isn’t only about malware: if you have information or questions about phishing and other scams, we welcome comments below.
David (“I detect something phishy”) Harley
ESET Senior Research Fellow
Graphics by courtesy of Small Blue-Green World