Security Awareness Training: How to Detect Phishing Attacks

As I mentioned in my last article about password security, minimal risk employees who understand IT security risks and take action to prevent them are a critical piece to the IT security puzzle. After setting policies about how to choose passwords and when to update them, helping them to identify fake email addresses and URLs gives end users the power to be vigilant against cybersecurity threats.

Recent CompTIA research shows that phishing is third on the list of cybersecurity threats that are top of mind for organizations, ranking just behind the very traditional threats of viruses and spyware. While phishing is not the only way to get employees to visit malicious URLs, it has quickly become a widespread concern.

Forthcoming CompTIA research also shows that 76% of companies are now providing cybersecurity awareness training to the entire workforce. Proactive training is a critical step in equipping every employee to play their part in a cybersecurity strategy.

How to Identify Fake Email Addresses

Where is your email coming from? Fake email addresses attempt to trick end users into a sense of comfort, security and legitimacy. Does the domain from which you’re receiving the email make sense? Is it consistent with the company’s domain?

Here are two ways to identify fake email addresses:

1. What comes after the @ sign?

As mentioned above, a legit email domain will match the URL for the organization’s website. Going back to the banking example, here are examples of safe and unsafe email domains.

• Safe: @chase.com
• Unsafe: @chasebank.com

At a quick glance, this seems like a reasonable and safe domain. But if the domain is anything different than what you would type in a web browser to access the organization’s website, it’s most likely a fake email address.

2. What name appears in the email?

Spoiler alert: it doesn’t matter. Real names don’t mean anything on the internet. There’s no intellectual property or restrictions on the names of emails when creating an account.

In fact, many legitimate businesses create fake names for marketing emails that just head back to a distro so they can avoid being flagged for email abuse when they are spamming without an opt-in policy. I could start an email account with your name, and there are no checks and balances on it. That’s why the domain is so important – there’s a registration process for domains related to unique IP addresses, so it’s not possible to copy without having inside access.

How to Identify Fake Websites

One of the easier ways to mitigate cybersecurity risk is to train your employees to pay attention to the address bar in their web browser. As we rely more on backlinking, cookies and search engines to reach websites, employees tend to pay less attention to the URL in the address bar and go more and more into autopilot when browsing.

Pay attention to your browser and ask these questions to identify fake websites:

• Is your connection secure? Look to the far left of your address bar. If you’re using Chrome or Firefox, you should see a padlock icon to indicate that your connection is safe.
• If you are still using Internet Explorer: Stop reading this article, delete all your cookies and search history on IE, and install Chrome or Firefox. Those browsers are much safer, especially Firefox. Don’t ever look back, and don’t feel bad about it.
• BUT… Secure Socket Layer (SSL)/ Transport Layer Security (TLS) certificates are now easier for threat actors to get, so the “padlock” strategy isn’t effective enough on its own. The lock icon is not bulletproof, and it must be used in combination with the rest of the points that follow.

Where Did the URL Come From?

1. Does the URL make sense? Use the same strategy to identify fake websites that you would to identify fake email addresses. The main parts of the URL before .com or .org, etc., should not be an alphabet soup of letters and numbers. The domain origination of the main site and emails that you receive from the organization should match.

A relevant example for personal banking would be this:

• Safe: chase.com/creditcardoffer
• Unsafe: chasecom.ru/creditcardoffer

Threat actors purposely try to mask their URLs in clever ways, often by incorporating special characters or a sandwich of letters that resemble the correct website. If you’re not looking closely, you can easily be duped into clicking the link and installing malware on your device, even if the link doesn’t load or takes you to a dead page.

2. Did you get the link in an email? If so, don’t click. This sounds extreme. It also sounds slow and antiquated. But verification is a pillar of being vigilant. Even if the contact emailing you is in your address book, they could have been phished – you just never know.

• Call or email the contact before clicking. Calling is always preferred. As for emailing, you must make sure you open a new email to ask them if the last email was legit. If you reply directly to the email in question, you’re communicating with a hacker, and they will mislead you.
• Seriously, call them before you open the email. Especially if it’s from an internal source. That will only create a stronger cybersecurity culture. This may seem like an unnecessary or slow step, but it’s the entire point of the training exercise! The more cybersecurity is discussed, the more it is prioritized in typical day-to-day interactions.

Now we’ve covered password policies and suspicious URLs and domains. Stay tuned for my next article about phishing attack red flags to watch for.