Years after they were first used to catch out unwary users, simple phishing scams sent via email are both common and effective. On the face of it this is surprising. Businesses installed email-filtering gateways a decade ago, some even investing in technologies designed to authenticate messages such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM)and Domain-based Message Authentication, Reporting & Conformance (DMARC).
While this has made some difference in filtering out spam and unwanted messages, phishing email has evolved to counter these techniques. The plain truth is that users have to open email, some of that will have been targeted well enough to allay suspicion, and getting around the defences that have been thrown up is still more than possible.
Focus has shifted from using technology on its own to user training even if this promises only an imperfect cure. But user awareness can and does make some difference.
Here we present a top ten list of phishing lures as compiled by email security-as-a-service firm Proofpoint. These represent the most common techniques based on their own filtering of messages. How may of us wouldn't be swayed to click on at least one of these?
With the rise of virtual PBX systems and softphones, employees have increasingly been conditioned to expect voicemail that appears as a media attachment in their inbox. Voicemail inherently carries an urgency to the communication as well, further overriding natural caution and prompting an unthinking click.
As is the case with voicemail, eFax communications have an inherent urgency, coupled with the neural disconnect caused by the historic association of fax with phone lines and audio, which aren’t naturally associated with malware. Employees in the midst of a busy day don’t think twice before clicking to open the attached or URL-linked “fax”.
Whether it’s a request to send a wire transfer, or an apparent failed ACH transaction, cash movement issues are urgent and compelling. The attachment and the embedded “email” link in the message are both likely to result in malware being installed if clicked.
Whether it’s an immediate alert of potential fraud on your credit card or bank account, or simply a vaguely disturbing or confusing ‘advisory’, don’t ever click the links. Open a browser, proceed to the main web page of your financial institution, and use the contact links on the page - or call the phone number on the back of your physical credit card or ATM.
A variation on the warning theme designed to hit a sensitive button - 'your account has been disabled after it was the victim of unauthorised access', or a variation on that theme. Given that users now receive such warnings, this attack can be disarming.
Invoices can be fraudulent in several ways, but whether an end-user pays a non-existent supplier or simply clicks on any of the links in this email, the results will be cash losses to the company. The attacker wins again.
Too often users instinctively associate malicious phish with a demand. Psychologically, offers register differently, so when users receive what appears to be an unsolicited gift (in the form of an order, package, airline ticket confirmation or similar), an instinctive action is often to click for more information.
People are habituated to receive these and barely notice when the form is abused in phishing attacks. Common brands (and sometimes obscure ones that grab the attention) are used to disarm suspicion until it's too late.
Natural curiosity is a weapon of choice for social engineering. Most users when approached via social networking will click on the inviting party’s profile, “just to find out who it is”. In most phishing emails, every link can trigger malware, up to and including links that appear to be to images or legal boilerplate at the bottom.
Solicitation (Job offers, singles meetup, pharmaceuticals, whether it’s a job offer, singles meetup, discount on pharmaceuticals, or other unsolicited solicitation, it’s quite likely to produce undesired results if the links or attachments are clicked. This is one of the oldest of the lot but keeps turning up in new forms.