Tony Anscombe, Chief Security Evangelist at ESET highlights that if it looks like a duck, swims like a duck, and quacks like a duck, then it’s probably a duck. Now, how do you apply the duck test to defend against phishing?
The fall is an awesome time of year to get away and spend some time in the great outdoors. The criminally-inclined, meanwhile, seem to ramp up their phishing campaigns, as the daily routine of deleting the unwanted and malicious emails and SMS messages takes longer every day. October is Cybersecurity Awareness Month and the second week of the month-long campaign to bring cybersecurity to the forefront of everyone’s minds is dedicated to the ‘Fight the Phish’ theme.
The hard truths
Would you be surprised to learn that just over 60% of entrants in a recent phishing quiz, conducted by ESET, who were presented with four images of phishing or real messages failed to identify them all correctly?
Called the ESET Phishing Derby and organized by the ESET team in the USA, the free-to-enter competition is designed to show just how competent we are at identifying fake vs real messages. The scoring system is based on speed and correctly telling the messages apart, and the almost 40% who correctly identified the samples may include some entrants who identified three correctly in a super-fast time. So, in reality, the number identifying all four correctly is likely to be lower. The quiz was not designed to generate statistics – it was designed to create awareness and help educate the entrants on how to identify fake emails.
Interestingly, the results show a marked difference in how younger participants aged between 18-24 identified the samples correctly – 47%, compared to just 28% of those over 65. Those aged between 25-44 achieved 45% and 45-to-64-year-olds were at 36%. In case you are wondering about the validity of this data, the number of entrants was 4,292, and the data collected is a by-product as opposed to an academic study. A similar result was presented when the same quiz was conducted by ESET Canada in late 2020, with 68% of participants not identifying all four samples correctly. You can take the tests here or here.
What action should we take from the results? If you are reading this blog, then you are likely engaged in the need to learn more about cybersecurity and staying safe online. So, let me give you a challenge during this 2021 Cybersecurity Awareness Month – take the message on being cautious about emails and messages and other good practices you may adopt to stay safe online and teach them to friends and family, with a very specific focus on helping those in their more senior years, as the data demonstrates they may benefit from a little more help.
You might think with the continual awareness campaigns from financial organizations, cybersecurity companies, governments and such like driving the cybersecurity awareness message home that this number should be lower, much lower, and I might agree. However, some phishing emails that land in inboxes are so well crafted and look and feel just like the real deal, making it much tougher to identify them as fakes. This challenge will only get harder as cybercriminals perfect their art.
Phresh phish
Last week, I received an email that is supposedly from American Express, notifying me that a suspicious transaction attempt had been blocked and requesting that I review recent transactions. At first glance, the email looks legitimate and well written and has good graphics, but there are some obvious signs that the email is a fake.
For starters, I don’t have an American Express Business Platinum Card. If you do have an account though, it may be understandable why this could trick you into taking the next step, opening it and possibly clicking on the link contained within it. The email is designed to create an emotional reaction, ‘oh no, there is fraud on my account, I need to fix it, click’.
Also, one of the fake identifiers for me in this specific email is the addressing ‘Dear Card User’ and then the ‘Account starting with 37*****’. American Express knows who their customers are and do not refer to them generically in communications, and credit card companies normally use the more unique final digits of an account number, not the less unique numbers at the start of the account number. As a past employee of American Express, I know that all cards issued by them start with 3 and the second number is either a ‘4’ or ‘7’, so the number used in the email I received is generic and valid for many card holders, a shotgun approach by the cybercriminal to catch a victim.
The enhanced computing resources readily available to cybercriminals are going to make detecting phishes more challenging for their targets; for example, the rental of cloud computing power, the massive amounts of personal information available from data breaches, and to some degree the funding from recent successful cyberattacks being re-invested to grow the cybercrime business sector. Now imagine the ‘American Express’ impersonating phishing email had the card holder name and the final 4 digits of the card number, gleaned from breached data: the likelihood of the recipient clicking the link will undoubtedly significantly increase.
Other red flags of phishing attacks
Here are a few more tips on how to identify a phishing email:
- The email is not addressing you personally, when in the company that is supposedly the sender would know who you are and typically send emails addressed personally and not generically.
- Grammar and spelling mistakes: As phishing emails improve, be sure to read it twice as the errors may be harder to spot.
- The email is unsolicited from a company you have never communicated with.
- A call to take an action urgently, click a link and log in to review transactions or similar
- The email addressing: Hover the mouse over the email address and check the sender’s actual address and the domain it was sent from.
- Emails with attachments, for example, claiming to be an invoice or notification of some type.
My recommendation in instances where uncertainty remains on whether an email is real or fake is to visit the website of the supposed sender directly through a browser, log in to your account and seek out any messages. Anything important will be in the account messages or inbox and if needed, contact the company and validate the request.