5 Simple Tips for Phishing Email Analysis

Phishing attacks have been on the rise, and understanding how to recognize them is the first step in protecting your organization. 

During a phishing attack, scammers and hackers pretend to be someone representing an organization or company that you trust. This may include a well-known entity like the Internal Revenue Service (IRS), a social media company, or a bank. The hacker then sends out emails, and within them are links to fake sites or attachments with malware. The objective of the attack is to fool the recipient into providing personal information that will allow them to take control of the device.

Phishing email analysis tools can help combat these kinds of attacks. You can use them to take a proactive stance against phishing. Read on to learn how not to fall victim to a phishing cyberattack through the phishing investigation process, how to boost email security, and tips to spot suspicious emails, including those used in spear phishing, a more targeted form of phishing.

The goal of a phishing attack is to steal personal or financial information. To understand which data in your organization is at risk, it is important to comprehend why hackers want it. Attackers attempt to obtain information that will somehow earn them a profit. There are three ways they can make money from your data:

1. Steal data for personal gain: Hackers can use your personal or financial information to steal your money themselves. When they do this, however, they put themselves personally at risk. Therefore, they will either go for high-value data or financial information that can be exploited with as little risk to themselves as possible.
2. Sell data: An attacker can take your data and sell it to somebody else. This is often done on the dark web, where there are markets for stolen information. Your data may be included in a package that includes the sensitive information of other people. For example, a hacker may sell a collection of 50 credit card numbers to someone else.
3. Obtain data for another entity: A hacker can be paid by an organization to steal your information, cause an embarrassing breach, or provide cyber espionage services. At times, a third party may be involved, such as a government or even another company. In this situation, the hacker is given a job with specific objectives, and they get paid accordingly.

Given the above motivations, data and information at a high risk of being stolen through a phishing attack include credit card information, social security numbers, login information, information that can be used to answer two-factor authentication (2FA) questions (e.g., codes sent to a mobile device), full names, birth dates, addresses, company financial information, company secrets, future plans of a business, proprietary data and information (e.g., schematics, designs, and content), phone numbers and email addresses, passwords and numeric codes for a company’s physical and digital resources, and health records.

Phishing email analysis should be performed systematically. Here are five things to look for to spot scams: 

Email addresses, links, and domain names that come from a hacker are often easy to identify. Here are what to check for:

1. Email addresses that are close to correct but a little off. For example, if someone’s real email address is TaylaSmith@yourcompany.com, and you get an email from JSmith@yourcompany.com or SmithJohn@yourcompany.com, it may be a phishing attack. The attacker may even try to explain that they were given a new email address by the IT department. Regardless of what is in the email, double-check the identity of the sender.
2. Links that reveal an unfamiliar address when you hover over them. Because so many emails contain links, it can be easy to accidentally trust the wrong one, especially if it appears to come from someone or an organization you trust. Always double-check the contents of a link before clicking on it, and keep in mind that links can download malware or bring you to a fake site that looks legitimate but is designed to install malicious software on your computer.
3. Domain names that are close to those of a company or person but are not quite right. For instance, if someone sent an email from “Tiffany@G00gle.com,” with two zeros,” they could be phishing. Also, if an email address has a component that is designed to make it look trustworthy, it may be a phishing attempt. For example, if you got an email from John@IBMsupportsystem.com, it may be a malicious email, particularly because there is no active domain run by IBM with that name.

Many phishing attacks try to convince someone to reveal personal information using scare tactics. An attacker may also try to make the target feel embarrassed, giving them no other choice but to take an action to prevent others from learning some supposed secret. For instance, they may claim that the victim has downloaded malware on their computer and needs to provide their login information so it can be removed by “the IT department.” To remedy the situation without having to reveal they made a mistake, an employee might accept the invitation to share this information.

Often, a threat will come from an organization that purportedly has the power to fix a situation. For example, a phishing email may come from a hacker pretending to be your financial institution. Within the message, they may say that your account has been compromised and you need to change your login information. You may then be instructed to click on a link that will bring you to a site that will facilitate the change you need to make. But when you go to the site and enter your login information, your data gets sent to a hacker.

Some hackers have not mastered the language in which they are composing the email or its basic grammatical conventions. When an email comes from someone that you are supposed to trust or a professional organization, more than likely, the grammatical and spelling mistakes are either predictable or nonexistent. For example, someone you know at your job may occasionally write “i” in lowercase when referring to themselves or use colloquial words like “gonna” or “wanna.” Often, these are predictable elements of your communication.

With a phishing attack, the errors are often far more egregious, featuring mistakes such as:

1. Misspelling the company name
2. Misspelling your name—or even that of the supposed sender
3. Reordering key elements of a sentence, such as putting an adjective after a noun instead of before it

Attachments in a legitimate email are usually alluded to within the body. The sender may say, for instance, “I am attaching the report.” This makes it easy to check the attachment because its name should correlate with what was mentioned in the message. With a phishing email, the attachment may have nothing to do with the contents of the body of the email. It may also be unnecessary. For example, an email that talks about a report but with an attachment containing instructions on how to reset your password.

Any email asking for personal information should be viewed as suspicious. With many phishing emails, the information they are asking for is something they should already have access to, such as the contact information you have provided in the past.

Companies have also chosen to never ask for login information for payment data via email, specifically because this helps prevent phishing attacks. If you ever get an email that seems to be legitimate but is asking for personal or sensitive data, it is best to reach out to the company directly by composing a new email with the appropriate address, not responding to the one you were sent.

^{--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------}