Phishing

Phishing?

STOP PRESS We’ve recently added a new layer to our email filtering engine, Avalanche, that targets the rising threat of Snowshoe Spam.

What is Phishing – and how to spot Phishing emails

It is increasingly common to hear about the appearance of yet another email scam – a fraudulent email that appears to be from a legitimate source, with a seemingly justifiable request. One example could be an email that appears to be from your bank, or credit card company, requesting you click on a link and verify your online banking details. Usually there will be a veiled threat stated in the email that feeds on the readers fear, uncertainty and doubt for not following the link, such as your account will be closed or suspended. The aim of the email is to get you to disclose personal information that could be of use to a scammer. This type of email scam is generally referred to as phishing.

Communications purporting to be from popular social web sites, auction sites, banks, online payment processors, or IT administrators are commonly used to lure unsuspecting targets. Phishing emails may also contain links to websites that are infected with malware.

Phishing is typically carried out by email spoofing and often directs users to enter details on a fake website whose look and feel are almost identical to the legitimate one.

Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include email filtering platforms, government legislation, end user training and public awareness.

Phishing, also referred to as brand spoofing or carding, gets it’s name from fishing: the idea being that bait is thrown out in the hope that, while most will ignore, some will be tempted into biting.

Why is Phishing Successful for Scammers?

Phishing emails are blindly sent to millions of recipients at any one time. By spamming large numbers of people, the scammer relies on the email being read and acted upon by a percentage of people (and that may be an extremely small percentage) who actually have a relationship with the legitimate company, or organisation, being spoofed in the email and corresponding webpage.

What to look for:

  • The information provided in the email. Use your favourite online search engine to check the content and name of the sender to see if they are genuine.
  • The look and design of the message. Often very poor and may include an attempt to link to a logo from the company being spoofed.
  • Use of Language. Grammatical errors and use of either too formal, or very informal language, are often a giveaway.
  • The return email address. Whilst it may look like customer services, it’s very easy to set up an email that shows anything you want it to in the reply, but checking the true address showed this to be an illegitimate email account.
  • Mouse over the links and look to see where they go, if they go anywhere. Dead links, or non-existent ones, are a give away as are ones using random numbers, letters or which have an odd suffix. A common tactic of scammers is to use variations of recognisable web addresses that, on first glance look legitimate (such as www.veyrgoodemail.com) but are slightly altered by adding, omitting, or transposing letters – commonly called cybersquatting.

Don’t forget – emails that sound too good to be true usually are! Taking care to check the points above, as well as having quality email filtering in place, will help you minimise the risks.