Security Awareness Training: How to Detect Phishing Attacks

After setting policies about how to choose passwords and when to update them, training end users on how to identify fake email addresses and URLs gives them the power to be vigilant against cybersecurity threats.
A photo of Gmail open on someone's computer

As I mentioned in my last article about password security, minimal risk employees who understand IT security risks and take action to prevent them are a critical piece to the IT security puzzle. After setting policies about how to choose passwords and when to update them, helping them to identify fake email addresses and URLs gives end users the power to be vigilant against cybersecurity threats.

Recent CompTIA research shows that phishing is third on the list of cybersecurity threats that are top of mind for organizations, ranking just behind the very traditional threats of viruses and spyware. While phishing is not the only way to get employees to visit malicious URLs, it has quickly become a widespread concern.

Forthcoming CompTIA research also shows that 76% of companies are now providing cybersecurity awareness training to the entire workforce. Proactive training is a critical step in equipping every employee to play their part in a cybersecurity strategy.

How to Identify Fake Email Addresses

Where is your email coming from? Fake email addresses attempt to trick end users into a sense of comfort, security and legitimacy. Does the domain from which you’re receiving the email make sense? Is it consistent with the company’s domain?

Here are two ways to identify fake email addresses:

1. What comes after the @ sign?

As mentioned above, a legit email domain will match the URL for the organization’s website. Going back to the banking example, here are examples of safe and unsafe email domains.

  • Safe: @chase.com
  • Unsafe: @chasebank.com

At a quick glance, this seems like a reasonable and safe domain. But if the domain is anything different than what you would type in a web browser to access the organization’s website, it’s most likely a fake email address.

2. What name appears in the email?

Spoiler alert: it doesn’t matter. Real names don’t mean anything on the internet. There’s no intellectual property or restrictions on the names of emails when creating an account.

In fact, many legitimate businesses create fake names for marketing emails that just head back to a distro so they can avoid being flagged for email abuse when they are spamming without an opt-in policy. I could start an email account with your name, and there are no checks and balances on it. That’s why the domain is so important – there’s a registration process for domains related to unique IP addresses, so it’s not possible to copy without having inside access.

Pro Tip for Email Security Awareness Training

  1. Create and spoof a few email addresses on free email clients and your own email domain. If your customers email you from gmail accounts, use that free service to make a few.
  2. Create a link in the body of the email that you can track.
  3. A few days later, check the activity to see who accessed the link. Anyone that clicked on it needs to be trained that it is unsafe to open a link from email.

How to Identify Fake Websites

One of the easier ways to mitigate cybersecurity risk is to train your employees to pay attention to the address bar in their web browser. As we rely more on backlinking, cookies and search engines to reach websites, employees tend to pay less attention to the URL in the address bar and go more and more into autopilot when browsing.

Pay attention to your browser and ask these questions to identify fake websites:

  • Is your connection secure? Look to the far left of your address bar. If you’re using Chrome or Firefox, you should see a padlock icon to indicate that your connection is safe.
  • If you are still using Internet Explorer: Stop reading this article, delete all your cookies and search history on IE, and install Chrome or Firefox. Those browsers are much safer, especially Firefox. Don’t ever look back, and don’t feel bad about it.
  • BUT… Secure Socket Layer (SSL)/ Transport Layer Security (TLS) certificates are now easier for threat actors to get, so the “padlock” strategy isn’t effective enough on its own. The lock icon is not bulletproof, and it must be used in combination with the rest of the points that follow.

Where Did the URL Come From?

1. Does the URL make sense? Use the same strategy to identify fake websites that you would to identify fake email addresses. The main parts of the URL before .com or .org, etc., should not be an alphabet soup of letters and numbers. The domain origination of the main site and emails that you receive from the organization should match.

A relevant example for personal banking would be this:

  • Safe: chase.com/creditcardoffer
  • Unsafe: chasecom.ru/creditcardoffer

Threat actors purposely try to mask their URLs in clever ways, often by incorporating special characters or a sandwich of letters that resemble the correct website. If you’re not looking closely, you can easily be duped into clicking the link and installing malware on your device, even if the link doesn’t load or takes you to a dead page.

2. Did you get the link in an email? If so, don’t click. This sounds extreme. It also sounds slow and antiquated. But verification is a pillar of being vigilant. Even if the contact emailing you is in your address book, they could have been phished – you just never know.

  • Call or email the contact before clicking. Calling is always preferred. As for emailing, you must make sure you open a new email to ask them if the last email was legit. If you reply directly to the email in question, you’re communicating with a hacker, and they will mislead you.
  • Seriously, call them before you open the email. Especially if it’s from an internal source. That will only create a stronger cybersecurity culture. This may seem like an unnecessary or slow step, but it’s the entire point of the training exercise! The more cybersecurity is discussed, the more it is prioritized in typical day-to-day interactions.

Pro Tip for Website Security Awareness Training

  1. Create your own fake (but harmless) websites, and send them to your own employees.
  2. Tag those emails to a tool that tracks open rates and clicks.
  3. See if anyone reports it to you – these are your minimal risk employees!
  4. Track all the users that click and don’t report the suspicious email, and say hello to your first training class!

Now we’ve covered password policies and suspicious URLs and domains. Stay tuned for my next article about phishing attack red flags to watch for.

Make sure you have the cybersecurity skills needed to outrun the other guy with IT certifications like CompTIA A+ and CompTIA Security+. Download the exam objectives to see what's covered.

Email us at blogeditor@comptia.org for inquiries related to contributed articles, link building and other web content needs.

Read More from the CompTIA Blog

Leave a Comment