According to our latest research, which can be seen in this video , an astonishing 32% of employees click on phishing URL’s, and 1 in 5 emails can be considered as malicious. But what makes a phishing attack successful? Are we really that naive to let ourselves become phishing targets, or are phishing techniques just that good? In this blog post I’ll talk about telltale signs that an email is in fact a phishing email!
Every phishing campaign starts with a goal and a target. Sometimes the goal is to extort money by posing as a supplier sending fake invoices, sometimes it is to obtain credentials from personal and/or corporate accounts. But how does an attacker find these details?
OSINT stands for Open Source INTelligence. This means that an attacker tries to find out as much as possible about you and/or your company using publicly available resources. These include but are not limited to: social media, corporate website, public government records, databases that have been leaked online from hacks, …
The email domain
In order to make phishing campaigns more successful, the attacker will often (not always) try to make his/her email as authentic as possible. A very important aspect of this is the domain name. Attackers will often register a new domain and use that domain to create email addresses that are used in the phishing campaign.
The challenge is to get a domain name that closely resembles the target’s domain. As it turns out, that might actually be easier than you think… with punycode. Punycode converts words that cannot be written in ASCII, into unicode ASCII encoded form so they can be used in domain names. Here is an example, the Greek word for hello is γεια σασ. This can not be interpreted by DNS, here is where punycode comes in. The punycode equivalent of γεια σασ is xn-- -ylbbfky6eb. Using this knowledge we can register a malicious domain that is indistinguishable from the real domain for the naked eye. Here is an example of punycode in action:
|ASCII Characters||Unicode Characters|
As hopefully most of you have noticed, the dot on top of the i is missing in the Unicode URL. But in a real-life scenario,this might be enough to trick you into thinking you are visiting the legit website. This can be made even more believable most mail clients allow to display a text with URL redirection behind it, such as a “click here” text taking you to Google for example. This behavior can be used by an attacker by showing the legit website URL in the link, but redirecting to the unicode link.
Caveat: Not all DNS registrars support punycode domains.
The email template
Depending on the goal of the phishing campaign, the attacker will likely search for a legitimate email of the person/company he/she is trying to pose as. The attacker will then adapt the template to create a link to the phishing website and sometimes even personalize the email or the opposite can also be true, remove any personal details to send it in bulk without taking the time to personalize the email (the last approach often results in a lower success rate).
How to recognize the fake email
There are a few things to bear in mind to determine if the email you have received is a phishing mail or not:
- Do you expect an email of this person/company – have they ever emailed you in the past?
- Is your name spelled correctly if your name is present in the email? does it just have your first or last name, or did it mention your full name? Do other emails (from the legitimate person/company) have the same writing style?
- Is the grammar in the email correct?
- In case there is a reference number involved (parcel number, account number, ….) does this match what you ordered / your account?
- Does the email have the right domain? Example of a wrong domain email@example.com sending you a DHL email. Check this very carefully knowing what you know now about punycode attacks.
- In case of any doubt, send a new email to the company/person (do not reply on the same email) and ask if the email you received is legitimate
So you did not see it was a trap in time and you clicked on the phishing link…
Just clicking on the phishing link does not necessarily mean that you are at risk, if your browser is up to date and you did not download anything from the phishing website, there is a very high chance you are still perfectly safe and are presented on a website that is either a payment website or a (very convincing) login form of some kind. In case you did not catch the fact that this was a phishing link, this is your final chance to find out, once you paid or filled in your credentials, it is often too late.
So what should you look out for you ask? Let’s find out together!
Ideally, if you want to always be 100% certain, you should never follow redirects in emails and always browse to the website manually to login. However, this takes some effort and it’s not always feasible, so the first thing you should look at is the URL in your browser. Is it the right URL? Is SSL being used (the lock icon in the left corner next to the URL)?
In case there are links on the website, click on them to see if they work. Often phishing websites clone the original website and disable any links so that the visitor does not get redirected to the real website by mistake, so if you click a link and nothing happens, or the page just refreshes, you can almost be certain that something is not right.
This one is rather obvious but I feel like I should mention it anyway:
In case you have visited the real website already:
Does the website in the email look like the website you visited? is the picture different? Is something in a spot it wasn’t before?
The fake login trick
If you even remotely suspect that the website you are visiting is fake, try logging in with fake credentials and see how the website behaves, does it throw the right error message to you? Or does it redirect you to another page as if your login was actually correct?
I hope these tips and insights provide useful for you and help you better understand and protect yourself against future phishing attacks. In case you have any tips, or would like to share extra insight or experience feel free to do so in the comment section!
About the author
Jean-François Maes is a red teaming and social engineering expert working in the NVISO Cyber Resilience team. When he is not working, you can probably find Jean-François in the Gym or conducting research. You can find Jean-François on LinkedIn.