Skip to main content

That Time I Clicked on a Phish

April 16, 2019

As a security leader for the past 17 years, I expect myself to be exemplary on the topic of recognizing phishing scams, and I have tried to model this for others. Still, there have been a couple of occasions where even I started to "take the bait". In both cases, these were mass-mailings and not company targeted phishes – one related to a desktop upgrade that our company happened to be undergoing at the same time. In each of these cases, I was instructed to click a link to carry out some “company requested” task. After doing so, I examined the next page, which didn’t look quite right. Then I realized I'd been duped. However, no harm was done as I didn't complete the forms that were attempting to steal my login credentials or other important information. For a security leader, both of these felt a little bit like a "near-death" experience, complete with an adrenalin rush and the realization that I had almost fallen for a ruse with potentially dire consequences. I was close to being “that guy.”

Internal controls are great. But. 

Thankfully, my company had a comprehensive defense-in-depth for all its endpoints, including anti-virus, advanced anti-malware, network-based phishing message filtering and URL protection, and network and desktop firewalls and IPS. However, even with such a collection of defenses, I never assume that IT security can protect me from myself 100% of the time, and neither should anyone else. The first and last best defense is the human who is examining every single incoming message, thoughtfully (I hope) considering its source, subject line, directed action, and then making a good decision about it.

Telling the difference

The experiences I mentioned gave me first-hand insight that good phishing scams can be difficult to discern. As attackers become more and more sophisticated (poor English notwithstanding), determining what is genuine and what is fake is getting more and more difficult, even for conscientious, trained “experts.” 

With email overload still occurring (even with team tools), especially after any time away from the office, the ability to take precious time to examine an email is sometimes falling by the wayside. A refresher is never a bad idea, and with more than two-thirds of advanced cyber attacks beginning with phishing, it’s a great idea to mentally go through a quick checklist to help even the most experienced among us avoid being duped. 

  1. Does the email just sound “off”? Sometimes your gut is already aware. 
  2. Is the email from someone within your organization or outside of it? Double check the sender address as lack of company details could be a red flag, as can be a slight typo in the email address of a colleague’s name or domain name (johnsmith@whycompany.com vs jonsmith@whycompany.com, or johnsmith@whycompany.com).
  3. Is the email not personalized/doesn’t use your name but instead uses “Dear Member, Dear User,” or the like?
  4. Are there typos or is the grammar/language “off” or do they use URGENT or DANGER or other emotional words?
  5. Hover over a few text or image links, like logos, but do NOT click on them to discern where they are directing a click. URL protection is a double-edged sword here: with such a system in place, hovering over links doesn’t always show the link’s true origin; however, URL protection often prevents a user from visiting a site known to be malicious or fraudulent.
  6. When visiting any site that asks you to fill out a form or provide personal information, look for https in the URL, not just HTTP, to be sure it’s secure. However, be aware that many cybercriminal organizations do have SSL certificates on their phishing sites.

It’s like real money and great fakes

Here’s another perspective. Early in my career, I was in the banking industry and became familiar with the methods used to help tellers distinguish genuine currency from counterfeit. Banks trained their tellers on all of the obvious and subtle characteristics of real currency. The thought was that when they encountered a counterfeit bill, the teller would spot it because something doesn’t “feel right” or “look right.” This approach could also be used for spotting phishing messages: when you’re familiar with legitimate communications in your organization, phishing messages aren’t going to look right. Often, that’s your only clue: something is “just off.”

While spotting ruses is getting more difficult, taking just a little more time to examine an email for red flags can make the difference between a big issue and avoiding it entirely.
 


    Peter Gregory

By: Peter Gregory

Director, Information Security

See More

Related Blogs

April 26, 2018

Employees’ Contribution to Breach of Trust

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In r...

See Details

April 26, 2018

Thoughts on Breach of Trust vs. a Breach of Security

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In r...

See Details

May 30, 2018

Phishing - The Rest of the Story

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this b...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.