Don’t take the bait — a guide to online phishing scams

Written by Niall Carolan, Invotra

Suspicious emails. Dodgy websites. They’re out there… and they’re out to get you. But, how can you tell what you can trust?
 In the modern age of the internet, cybercrime is on the rise. In 2017 alone, a total of £4.6bn was stolen from British internet users according to cybersecurity firm ‘Symantec’.

Phishing scams

One of the most common ways of targeting internet users is the phishing scam. Phishing scams are attempts by criminals to obtain sensitive information by posing as a legitimate & trustworthy source. Their goal is to trick you into giving out details such as bank account/credit card numbers or passwords.

In this blog, we will cover the two most common phishing scams that you might encounter and how you can avoid falling victim to them. You will likely recognise some of the attacks listed below… and in the past you might have been caught out by them (possibly without realising)!

Fake emails

Phishing emails claim to be sent from a trusted or well-known source, such as a bank or retail company.

They will often ask you to click on a link (leading to a fake website) or to download/open an attachment that would install malicious software onto your device.

It is common for phishing emails to create a sense of urgency to distract you and prompt a quick response. Typically, this might be achieved by:

  • Asking you to renew an expiring password.
  • Warning you about unauthorised or suspicious activity on your account.
  • Citing purchases that you do not recognise.
  • Sending a limited-time offer.

Basic phishing emails will not address you by name. Instead, they will use greetings like “Dear customer” because identical emails will be sent to multiple people. More sophisticated attempts, called ‘spear phishing’, can include personal information in the email such as your name, company, address, telephone numbers etc. to increase the authenticity. Phishers can also target individuals within an organisation, posing as a boss to make requests for data or money transfer.

Watch out for:

  • Generic greetings i.e. the email is not specifically addressed to you.
  • Visual cues where something feels ‘off’ compared to known emails from the actual sender. Be careful though as scammers can use company logos and other branding to appear legitimate.
  • Mentions of activity you have not performed, such as purchases or login attempts. This is used to scare you into taking quick action.
  • Fake sender addresses. Notice the difference between [email protected](fraudulent) and [email protected] (legitimate).
  • Bad grammar and typos.
  • Suspicious/unexpected requests from bosses or colleagues.
  • Unexpected attachments or requests for certain information. This can be a dead giveaway! For example, Amazon tell you that they never ask you for the following information in an email:
  • Your Amazon password.
  • Your bank account information, credit card number, PIN number, or credit card security code (including “updates” to any of the above).
  • Your National Insurance Number.
  • Your mother’s maiden name or other information to identify you (such as your place of birth or your favourite pet’s name).

What to do:

  • When you suspect an email is fake, the best course of action is to ignore it completely; this means don’t reply to it, open or download any attachments, or click on any links.
  • Avoid opening suspicious emails if you can.
  • If you’ve received a concerning email about an account, you can safely check your account history by logging in to the site after using a search engine, bookmark or URL to get to there. Don’t use any links provided in an email unless you trust it.
  • If you have received a suspicious email claiming to be from someone you work with, make sure to double-check that they sent the email. You can either email that person directly using a trusted email address, call them on a trusted number, or ask them about it in person.

Modern email services, like Gmail, automatically move emails known to be untrustworthy to your spam folder. However, there might be additional security settings available that you can configure for your personal or company email. For example, here is an article by Google detailing how you can enhance your phishing and malware protection in Gmail: Google Support.

Fake websites

Links to fake sites are typically included within phishing emails. They tend to use legitimate-sounding domain names and can copy the look & feel of real websites to trick you (called ‘spoofing’).

These types of phishing emails will establish a fake scenario and instruct you to click on a supplied link to resolve something. Depending on the scenario, they might take you to a fake login page or a page asking you to confirm credit card information.

Some examples of fake website domains are:

  • halifaxonline-uk.com
  • itunes-security.net
  • ssl-paypai-inc.com

The above examples can be easy to spot if you know what the website domain should look like. There is, however, a sneakier way of tricking you into accessing a fake website.

“Homoglyph attacks” use lookalike characters from foreign alphabets to make a fake domain look like its real counterpart. A popular example of this vulnerability was demonstrated in 2017 by Xudong Zheng who used homoglyphs to create a fake Apple website. Here’s the link: https://www.аррӏе.com. Don’t worry, this link is completely safe to use! If you’d like to read more about this vulnerability, you can find a link to Xudong’s blog post when you visit the fake apple site.

If you want to see how easy it is to create lookalike domain names, you can use this homoglyph generator and follow the instructions: Iron Geek.

Here is a fake Amazon URL I created using the generator: www.amаzоn.co.uk. Can you tell that it’s fake?

The latest version of Chrome will convert foreign characters to Punycode. This means that my previous www.amаzоn.co.uk example appears like this in the URL bar:

Firefox on the other hand still displays the homoglyph characters!

When checking if a website is safe or not, a lot of internet users will look for a “Secure” padlock in their address bar or “https” in the URL. This is a sign that the site is encrypted; legitimate websites use this to help protect your confidential information.

Be aware that encryption alone does not ensure that the site you are accessing can be trusted. Fake websites have been able to obtain security certificates in the past! Encryption only means that the information you are entering is being sent securely over the internet. You can still send information securely to a scammer.

A real example

At Invotra, our employees are occasionally the target of phishing scams. Having an awareness of the common traits we’ve covered in this blog ensures that we are less likely to get caught out. Here is an example of a real phishing email sent by a scammer posing as our CEO Fintan Galvin. First, they asked for a request to be processed and then followed up by asking the targeted employee to make a payment.

Luckily, this email was automatically marked as spam by Gmail. If we imagine this wasn’t the case, what clue gives away the fact that this is a phishing email? Take a look at the email address that the email was sent from. The sender’s address is “executive.officemail.aol.com” which is not an “example@invotra.com” address we would expect.

To conclude, some companies unfortunately don’t always get things right. In 2017, Equifax were caught tweeting out fake links which they thought were for their own site. They linked to www.securityequifax2017.com, which was an imitation of the real site www.equifaxsecurity2017.com. Oops!

Originally posted here

More thought leadership


Originally published at digileaders.com on November 8, 2018.