Phish Avoidance

Here's a shortened and updated version of the advice that David Harley and Andrew Lee gave to potential phish victims in an earlier paper.

The infographic isn't from the paper, but has been used by ESET before, notably in a blog article by Randy Abrams. You may still find it useful, but bear in mind that phishing is by no means restricted to email messages, and that sometimes the real danger is in the attachment, which may be some form of Trojan or contain malicious links that aren't present in the message.

  • Email sent apparently from a provider you don't use is obviously suspicious. However, if you receive email apparently from a services provider that you do use but at an address that you do not use when you contact that particular bank or service is always suspicious. One precaution is to create a separate email address (most ISP's will allow this, but you could also use a service such as Gmail to create extra accounts), with a unique name, e.g. (mybanking.email@thedomain.com), and use that address exclusively for that activity, never publishing it anywhere or using it to send email for other purposes. This will provide an easy way of checking that it was sent to you at a correct address.
  • If you do have an account with the institution apparently sending it to you, but the message isn't personalized that is, addressed to you using your own name or a specific identifier such as a verifiable account number regard it as highly suspicious. Greetings like Dear Lloyds Bank Customer or Dear eBay User suggest that the sender is trying to catch anyone who happens to receive the mail, and they have no idea who you are or whether you really do have an account or business relationship with Lloyds or eBay. If the identifier is one of your email addresses (e.g. Dear henry056@hotmail. com , that is equally suspicious. It's trivial to insert the email address into the message, and you should assume that it is not genuine.
  • However, if it does include your real name, that isn't a guarantee that it's genuine. There are many ways of obtaining that information. In fact, sometimes it can be harvested from your full email identifier, without any need to find it out from other sources. If you do have an identifier, especially a numeric or alphanumeric identifier and if you don't have such an identifier, maybe you shouldn't be using the service you should check it. For instance, it's common for eBay phishes to include tags like Your registered name is included to show that this message came from eBay, without actually showing the registered name, or it might even use a made-up identifier in the hope that you won't notice.
  • Reading message headers is a dark art requiring years of study at Hogwarts. Well, not really. But many people are intimidated by it. However, here are a couple of things to watch out for, that don't require you to read the full headers.

-                               If the mail doesn't seem to be addressed to anyone, it was blind copied to you and, probably, any number of other people. Don't trust it.

-                               It may seem to be addressed to someone else, including the apparent sender of the mail, or to a generic name such as customer or clientlist. This is sometimes appropriate for mail sent to many people, especially if the blind copy field is used to preserve their privacy. However, where the message concerns sensitive information such as banking data, it shows an inappropriate lack of personalization.

  • If you receive email apparently from an institution with which you have a business relationship (say eBay, or a tax office) that doesn't mean that you should accept it unquestioningly. If the message requires you to authenticate yourself to a web site and it's not the sort of mail you'd expect to get from them, it's suspicious. Security warnings are actually particularly suspicious: email advising you that your account has been compromised is a common phish type. A telephone notification can also be malicious, but it may be easier to ascertain whether it's genuine: at any rate, it can't be purely random, and there are ways of verifying such as calling back a known valid number (for instance, the number found on an account statement).
  • Even if you are reasonably sure that the mail is genuine, do not click on an embedded URL directing you to a login page. If you have a pre-existing relationship with the organization, for instance if you already do e-Banking with them, you should already have a standard login procedure: use that rather than responding to a possibly-random email. If you need to contact them by phone, avoid using phone numbers included in the message. Just as web sites can be spoofed, so can telephone numbers. use the telephone directory or another trustworthy resource such as an account statement.
  • A particularly common trick (but also a clear indication of mischief if you spot it) is an embedded URL that looks legitimate but has been modified to hide the real target. URLs can be obscured in many ways. However, if inspecting the source code for HTML mail or even passing the cursor over the URL shows a mismatch between the apparent site name and the target URL the browser actually sees, this is very suspicious. For example:

-                               Deceptive text inserted between http:// and an @ symbol: this may include the apparent target name, but will be ignored by the browser, which will only interpret the text that follows the @ as the domain name.

-                               The domain name may be expressed as an IP address in one of several formats (dotted-decimal, dword, hexadecimal or octal). The characters forming the URL may also be expressed as hex: there are some examples at http://www.pc-help.Org/obscure.htm.

-                               The URL may be made so long that it cannot be completely displayed in the status bar.

-                               The URL may include a domain name that is not quite the same as the company's real domain, but is similar enough to evade a cursory glance.

  • One of the weapons in the phisher's armoury is to present the problem' that requires you to log in as requiring urgent resolution ( You must log in within 24 hours or your account will be terminated for security reasons. ) This variation on a well-known sales technique ( Offer only lasts till the end of today! ) is intended to panic you into responding.
  • Apart from increasing the pressure on the victim, it also works to the advantage of the phisher, who often needs an urgent response before law enforcement and other countermeasures are put into place.

The kind of crude, text-only phish (usually written in bad English) that we saw a few years ago is far rarer today, but the basic form of the attack hasn't changed much: only the quality of the social engineering and the far more professional presentation.

However, the attack surface and range of vectors have broadened considerably: whereas most phishing attacks used to be delivered through email, we now see other forms of messaging exploited, such as SMS (texting), social media like Facebook and Twitter, even voicemail. And whereas phishing-related malware is still mostly Windows targeting, attacks that rely purely on social engineering and fake web sites might be delivered by any platform, including smartphones and tablets.

David Harley, ESET Senior Research Fellow
Urban Schrott, IT Security & Cybercrime Analyst, ESET Ireland

< Back to Part 1 >   < Back to Part 2 >