Staying Ahead of Phishing Emails

An individual’s lack of awareness and ability to identify social engineering attacks can lead to a security breach or financial loss. Hence, the human is often regarded as the weakest link when it pertains to information security. Increasingly, phishing (a social engineering technique), has become the attack vector of choice. According to Verizon Data Breach Investigation Report 2020, phishing has been ranked the top for the last two years, indicating that this method is widely chosen by hackers to launch attacks and gain their objectives. As a consequence, phishing continuously poses a real threat, both for organizations and customers.

Figure 1. Attack vectors in breaches over time (Verizon, 2020)

To put things more into perspective, the financial institution (i.e., banking, securities and insurance companies) are one of the industries which are prone to this attack.

Figure 2. Phishing’s most targeted industry by 1st quarter of 2020 (APWG, 2020)

Phishing is a method used by cybercriminals to steal customer’s personal data and financial account credentials. Phishing attempts usually appear in the form of spoofed emails purporting to be from a known associate, businesses, agency or colleague. They are crafted with the intent to lead consumers to reveal sensitive information such as financial credentials to an online banking account. The way they perform this action is by leading victims to a fake login page or in some cases, planting malware onto the victim’s computer through drive-by downloads.

Types of Phish

1. Spear Phishing
Spear phishing refers to a phishing scam that targets a specific individual or small group of individuals. In the case of a spear-phishing attack, the attacker has to collect as many information as possible before crafting a genuine-looking email, increasing the success rate of the attack. This kind of attack usually has a unique objective as it targets individuals or a small group of individuals.
2. Whaling
Whaling used to describe phishing attacks (usually spear-phishing) explicitly directed at executive officers or other high-ranking profiles within a business, government, or other organization. Other than stealing personal data, this kind of attack also pursues business information (Indiana University, 2016).

How to Detect Phishing Email

Fortunately, there are some characteristics that you can look out for in emails. These characteristics or traits allow you to discern between a legitimate request or a phishing attempt. Hence you can build your own awareness, with these tips:

1. Emails with urgent action required.
   One of the most effective ways to persuade users to click on a malicious link is to inform them that their action is required to regain access to their accounts which has been suspended for imaginary reasons. Hence, most phishing emails would include an urgent “call to action” to persuade readers to take immediate action (i.e. clicking on the link). Pay attention and be sceptical of emails that claim to have your account suspended. If possible, open a separate browser to verify the authenticity of the message.
2. Similar, but wrong official address.
   To deceive the victims, attackers often use an email address that is similar to the real email address. For example, if Bank Mandiri’s official email address is ib@bankmandiri.co.id, an attacker might use an email address something like ib@bankmandiricom.tk Keep an eye out for suspicious-looking email addresses. If possible, verify the authenticity of a suspicious-looking email address before replying with sensitive information.
3. Generic greeting.
   Because most phishing emails sent in bulk, these phishing emails are not personalized. As such, phishing emails would start with a generic greeting. For example: “Dear Customer”, “Dear Member”, or “Dear Nasabah”. If you receive an email that starts with a generic greeting, stay cautious and look out for other indicators that may suggest that the email is a phish.
4. Spelling errors, grammatical errors, or inferior graphics.
   Poorly crafted phishing emails are known to be riddled with spelling and grammatical errors. If you come across an email notice from a bank that is full of grammatical or spelling errors, you can be sure that it is a phishing email.
5. Link to a fake web site.
   Most phishing emails require the reader to click on a link provided by the attacker. To steal the victim’s credentials, the attacker inserts a link that leads to an official-looking website that belongs to the attacker. This website usually includes a login screen that captures the username and password that the victim keys into the fake login page. Additionally, these websites may have URLs or domains that are similar to the real site. For example, the URL of Bank Mandiri’s internet banking is https://ibank.bankmandiri.co.id. The attacker might craft a fake login page with a URL address http://ibank.bankmandiricom.tk. Keep an eye out for links that provided in suspicious emails. If possible, open a new browser and use a search engine to bring you to the real domain and login page.
6. Understand that established institutions will never ask you for sensitive information.
   Established institutions such as banks will never ask you for account passwords or additional credit card information. For example, Bank Mandiri will never ask customers for their credential data, such as password or PINs. If you have received one, you have likely received a phishing email.

Phishing Example

Here is an example to illustrate common characteristics that you can look out for in a phishing email.

Figure 3. An example of a phishing email

If you are still unsure…

If you are still unsure or do not entirely trust your ability to detect phishing emails, there are still some precautions you can take to stay safe.

1. Anti-Phishing Software
   You can also install anti-phishing software to help you better detect phishing emails. PhishTank and ZoneAlarm are examples of anti-phishing software. Some antivirus software also features in-built phishing detection.
2. Contact the customer call centre to verify the email.
   A call centre or customer care, such as Mandiri Call 14000, is a reliable source of information. So, when you are not certain of the email originality, call the respective hotlines to verify the authenticity of the message before you click on the link or open an attachment. You can find a company’s hotline by using a search of your choice.
3. Report the phish to your organization.
   If you are an employee, it is possible that the phishing email you received is a precursor to a larger attack. Some high-profile data breaches were initiated by a phishing email that was sent to an employee or vendor’s employee. The stolen credential was used to penetrate into the organization’s internal network before hackers started extracting credential data to their servers. The breach might have been avoided if the phishing email was detected earlier in the kill chain.

References:
1. Anti-Phishing Working Group. 2020. “Phishing Activity Trend Report. 1st Quarter 2020.”
2. Indiana University. 2020. “Avoid Phishing Scams”
3. Verizon. 2020. “Data Breach Investigation Report, 2020.”