That Time I Clicked on a Phish

As a security leader for the past 17 years, I expect myself to be exemplary on the topic of recognizing phishing scams, and I have tried to model this for others. Still, there have been a couple of occasions where even I started to "take the bait". In both cases, these were mass-mailings and not company targeted phishes – one related to a desktop upgrade that our company happened to be undergoing at the same time. In each of these cases, I was instructed to click a link to carry out some “company requested” task. After doing so, I examined the next page, which didn’t look quite right. Then I realized I'd been duped. However, no harm was done as I didn't complete the forms that were attempting to steal my login credentials or other important information. For a security leader, both of these felt a little bit like a "near-death" experience, complete with an adrenalin rush and the realization that I had almost fallen for a ruse with potentially dire consequences. I was close to being “that guy.”

Internal controls are great. But. 

Thankfully, my company had a comprehensive defense-in-depth for all its endpoints, including anti-virus, advanced anti-malware, network-based phishing message filtering and URL protection, and network and desktop firewalls and IPS. However, even with such a collection of defenses, I never assume that IT security can protect me from myself 100% of the time, and neither should anyone else. The first and last best defense is the human who is examining every single incoming message, thoughtfully (I hope) considering its source, subject line, directed action, and then making a good decision about it.

Telling the difference

The experiences I mentioned gave me first-hand insight that good phishing scams can be difficult to discern. As attackers become more and more sophisticated (poor English notwithstanding), determining what is genuine and what is fake is getting more and more difficult, even for conscientious, trained “experts.” 

With email overload still occurring (even with team tools), especially after any time away from the office, the ability to take precious time to examine an email is sometimes falling by the wayside. A refresher is never a bad idea, and with more than two-thirds of advanced cyber attacks beginning with phishing, it’s a great idea to mentally go through a quick checklist to help even the most experienced among us avoid being duped. 

1. Does the email just sound “off”? Sometimes your gut is already aware. 
2. Is the email from someone within your organization or outside of it? Double check the sender address as lack of company details could be a red flag, as can be a slight typo in the email address of a colleague’s name or domain name (johnsmith@whycompany.com vs jonsmith@whycompany.com, or johnsmith@whycompany.com).
3. Is the email not personalized/doesn’t use your name but instead uses “Dear Member, Dear User,” or the like?
4. Are there typos or is the grammar/language “off” or do they use URGENT or DANGER or other emotional words?
5. Hover over a few text or image links, like logos, but do NOT click on them to discern where they are directing a click. URL protection is a double-edged sword here: with such a system in place, hovering over links doesn’t always show the link’s true origin; however, URL protection often prevents a user from visiting a site known to be malicious or fraudulent.
6. When visiting any site that asks you to fill out a form or provide personal information, look for https in the URL, not just HTTP, to be sure it’s secure. However, be aware that many cybercriminal organizations do have SSL certificates on their phishing sites.

It’s like real money and great fakes

Here’s another perspective. Early in my career, I was in the banking industry and became familiar with the methods used to help tellers distinguish genuine currency from counterfeit. Banks trained their tellers on all of the obvious and subtle characteristics of real currency. The thought was that when they encountered a counterfeit bill, the teller would spot it because something doesn’t “feel right” or “look right.” This approach could also be used for spotting phishing messages: when you’re familiar with legitimate communications in your organization, phishing messages aren’t going to look right. Often, that’s your only clue: something is “just off.”

While spotting ruses is getting more difficult, taking just a little more time to examine an email for red flags can make the difference between a big issue and avoiding it entirely.