Why bother hacking someone’s computer when you can easily trick them into letting you in? Cybersecurity’s greatest weakness is people, and “phishing” is the most common form of “social engineering” — the practice of exploiting human weakness to gain access to a system. Phishing is also the most common technique hackers will use to steal your information (credentials, credit card number, etc.) or install malware on your computer. According to Verizon’s 2018 Data Breach Investigation, phishing was involved in 93% of data breaches that year.
Phishing is the practice of sending you a message impersonating a person or company you trust, with the goal of getting you to click a link or download a file that will steal your information or install malware on your computer.
The best defense against phishing is both human and technological. You can (and should) make your technological environment less susceptible to phishing attacks, but phishing is at the core a form of social engineering designed to exploit human weakness. The best defense is understanding how phishing works to be able to detect it and dismiss it.
Let’s look at how to detect phishing attacks and how to protect against them.
What Is Phishing Exactly?
Phishing is a form of social engineering that consists in a hacker sending you an email that impersonates someone you trust. Its goal is to lure you into giving away sensitive information or installing a malware on your device.
The vast majority of phishing messages are sent via email, but they are also sent via SMS (“smishing”) or directly via phone call (“vishing”). Basically, you can receive phishing messages via any mean of communication, including your favorite messaging app (e.g. WhatsApp, Discord, Facebook Messenger, etc.).
Since email is the most common, we’re going to focus on email phishing in this article.
Another distinction worth noting is the difference between regular phishing where hackers will send thousands of phishing emails at random, vs. “spear-phishing” where a hacker will target a specific individual. Spear-pishing is much harder to defend against because it’s often more elaborate and more customized to the target than regular phishing. Spear-phishing is usually reserved for high profile individuals and company employees. It really deserves its own article, so here we’re focusing on regular phishing, which is more common.
Phishing is not the same as spam
I’ve noticed many people confusing the two: phishing is not the same as spam.
Spam is nothing more than unsolicited advertising in your inbox. Spammers are not ethical advertisers in that they don’t care about whether you want their email, and the products they advertise may be shady (e.g. illegal medicine companies), but they’re not impersonating a sender you trust nor are they usually trying to steal from you. In fact, spamming as such was legal in the US until 2003.
Phishing, on the other hand, has never been legal. Phishing is a form of scam: it’s intentionally deceitful and the hacker is trying to exploit your credulity to abuse you in one way or another.
Understanding How Phishing Attacks Work
Anatomy of a typical phishing attack
The graphic below depicts the typical flow of a phishing attack. As the victim, you only see parts of it. A phishing email usually asks you to click on a link or download a file.
How to spot a phishing email
There are various qualities of phishing emails: some are well crafted and difficult to detect, while others are poorly written and easy to spot.
Here are common elements to look for when assessing an email for phishing.
- Sender’s Email Address
- Email Content
- Low quality writing: generic greeting and closing, grammar issues, misspellings, etc.
- Evokes fear or greed
- Evokes urgency
- Requires Action
- URL of the link
1st Element: Sender’s Email Address
In 99% of cases, the email address of the sender will tell you whether the email is legitimate.
Finding the email address
When you receive an email, the sender is identified by 2 main components:
- The Display Name, for example
Tony Salt - The Email Address itself, for example
[email protected]
If I sent you an email, you would be able to see both components. The way they’re displayed depends on your email service; for example Gmail displays both in that form when you open the email: Tony Salt <[email protected]>
The sender has full control of the Display Name. That means you cannot trust the Display Name — a hacker will change it to impersonate someone you trust. Always look at the actual email address.
The sender can control their Display Name, but they only have limited control over the email address itself. It’s possible to fake the email address (it’s called “spoofing” an email address), but it’s difficult and very rare. Therefore, when analyzing an email we should rely on the email address, not on the Display Name.
If you read only the Display Name, you might think Microsoft sent you an email. But when you look at the email address [email protected] you realize that it seems to be a random email account impersonating Microsoft.
Analyzing the email address
It’s pretty simple to analyze an email address once you know how to read it. The key is to understand which primary domain the email is coming from. For example, for an email coming from [email protected], the primary domain is gmail.com.
There are 2 rules of thumb for reading an email address and understanding the primary domain:
- Reading from left to right, the primary domain is the last domain before the domain extension. E.g. john@support.microsoft.com.
- Domains are separated by a dot “
.” and only a dot.
Let’s look at a few examples:
| Email address | Primary domain evaluation |
|---|---|
| microsoft.support@gmail.com | Even though the email address indicates Microsoft, the primary domain is gmail.com. It is a random gmail account not to be trusted. |
| cssupport@paypal.cssupprtt.com | That email address includes several official-sounding words, but the primary domain is cssupprtt.com. Never heard of it, I don’t trust it. |
| customers@security-google.com | You see “google.com” and may think it’s legit. But the primary domain is security-google.com. Anyone can create a primary domain with the word “google” in it. It’s a clever gimmick. |
| [email protected].tssrq.com | Don’t get confused by the multiple sub-domains. The primary domain is tssrq.com. Nothing to do with Yahoo! |
| chase@e.chase.com | The primary domain is chase.com. It’s a legitimate email from Chase! |
Simply look at the primary domain, compare it with the supposed source of the email, and verify it matches. An email coming from Yahoo should have an email address ending in yahoo.com. An email coming from Wells Fargo should have an email address ending in wellsfargo.com. Etc.
That’s how you screen an email by looking at the sender’s email address. It’s not 100% reliable as it’s possible for a hacker to fake an email domain, but it should still allow you to catch 99% of phishing emails.
2nd Element: Email Content
The content of the email can also give you clues as to whether you’re dealing with a phishing email.
First of all, the overall quality of the writing can raise suspicion. Many phishing emails are sent by hackers for whom English is not the first language, and it can show. A well written email is no guarantee that the email is safe, but a poorly written one is a sure sign that you should be suspicious. A multi-billion dollars company is unlikely to send you an email without a minimum of copy editing.
Besides the quality of the language, many phishing emails follow a similar “recipe” that includes several or all of the following components:
- Generic greeting: If a company where you have an account starts their email by “Dear Sir” or “Valued Customer”, it should raise your suspicion. They have your name, why don’t they use it? It’s the mark of a mass email campaign intended to be sent to as many people as possible.
- Generates fear or greed: A typical phishing email tries to generate some level of fear to prompt you to act. E.g. “Update your information or your account will be deleted”. Alternatively, it may play on your greed by offering something too good to be true. E.g. “You have received $9,545 in your PayPal account, please verify your information to confirm your identity.”
- Generates urgency: Often times the email will give you a short deadline to prompt you to act quickly. E.g. “There is a problem with your last income tax return, you have 24h to update your information with the IRS”
- Requires action: The whole point of the phishing email is to get you to do something. Typically click on a link, or download a file.
My rule of thumb is that if I notice 2 out of the 4 elements above, I consider the email suspicious and needing more scrutiny before I do anything.
3rd Element: Link URL
The last element to look at is the URLs the email is trying to direct you to. It’s a bit more advanced, but it’s a good way to investigate where the email is trying to send you. Obviously, it’s only possible when there are URLs in the email — some phishing emails want you to download a file attachment instead.
You definitely want to avoid clicking on any link. But you can see the URL of a link by hovering your cursor over it. Your browser will show the link in the status bar, usually at the very bottom of your browser window. It only works when you have a cursor obviously — not on mobile.
A URL can be quite long; you want to focus on the URL domain name. There are 4 conclusions you can reach by looking at the URL:
The primary domain looks legit
It corresponds to the author of the email.
- e.g.
https://informeddelivery.usps.com/box/pages/... - e.g.
https://e.chase.com/T/v60000017f08... - e.g.
https://www.netflix.com/browse?g=820...
The primary domain is unknown
Nowadays many companies use third-party email marketing services. They’re legit but you may not recognize them unless you’re familiar with them. If you don’t recognize the domain, treat it like it’s suspicious.
- e.g.
https://links.iterable.com/u/click?_t=50... - e.g.
https://www.exp2links2.net/refer_frie... - e.g.
https://cl.s6.exct.net/?qs=389f5cba7...
The primary domain looks suspicious
It takes some experience to recognize a suspicious domain. But a rule of thumb is that if 1) it looks like it’s trying to resemble a trusted domain, 2) it includes fancy authoritative words, or 3) it has a lot of numbers in it, then it looks suspicious.
- e.g.
https://service-account-7254.com/?q... - e.g.
http://latif637.000webhostapp.com/sig... - e.g.
http://microsofrtonline.net/home/c4835f5...
The URL destination is a Redirect
URL Shorteners are services that will give you a short URL to redirect to a long URL; it’s a legit service and it’s convenient when you need to paste a URL with a limited number of characters. They work by redirecting connections to the short URL to the longer URL. They’re useful for hackers because with a short URL you cannot see the long URL they redirect to. As a result, treat shortened URLs in emails as suspicious.
- e.g.
https://t.co/...(Twitter’s URL shortener) - e.g.
https://bit.ly/...(dedicated URL shortener service bitly.com) - e.g.
https://cutt.ly/...(dedicated URL shortener service cutt.ly) - e.g.
https://storage.googleapis.com/...(not a URL shortener, but a Google service that can be used to redirect to a different URL and often used in phishing emails)
In general, unless the URL looks legit to you, you should avoid clicking on it altogether. If you’re committed to investigating it, you can test it via a third party service like Safe Browsing site status by Google.
Lastly, another highly suspicious behavior is when several links in the same email direct to the same URL. It’s a trick hackers use to get you to click one way or another. There might be a big red button in the middle of the email and an “unsubscribe” link at the bottom. If both links have the same destination URL, it shows that the email author is trying really hard to get you to click to get to his URL. Don’t click!
Examples of phishing emails
But that’s enough theory. Armed with our criteria for spotting phishing emails, let’s look at some real life examples.
Fake Costco Email
We notice that this email includes several warning signs.
The sender’s email address doesn’t appear to be legitimately from Costco at all. This sign alone is enough to consider the email deceitful.
The content of the email is overall passable, but the author made a mistake spelling the word “Wholesale”, which is a reason to be suspicious. The email also does not include any greeting calling me by my name. If I’m a Costco customer, surely they know my name and would include it in the email. Lastly, the email is playing on my greed of getting some freebies, and requires me to click on a link. Typical signs of a phishing email.
The nail in the coffin is the URL the button would direct me to. When looking at it (without clicking), it would direct me to a website with a t.co domain — t.co is a URL shortener by Twitter; clicking on that link would redirect me to another website that I cannot see. This is clearly an attempt at hiding the link destination.
Fake Norton Antivirus Notice
Fake iPhone Reward From T-Mobile
Fake Fedex Notification
How to spot a phishing website
In spite of your best efforts, you may end up clicking on a phishing link by mistake. At that point, either the site is going to try to infect you with malware, or it’s going to mimic a website you trust to trick you into entering your login credentials.
Website trying to install malware
When a website is trying to install malware on your computer, it can do so 1) by exploiting a vulnerability in your Internet browser, or 2) by tricking you. And often times, by a combination of both.
When a malware exploits a vulnerability in your Internet browser, it will be successful if your browser is vulnerable to that specific exploit. The website might not even need your interaction to exploit your browser, and you may not see anything happen. It’s the most dangerous type of attack because there is not much you can do about it at that moment. To protect yourself against such a malware infection, the only thing you can do is be prepared for it in a few ways:
- Keep your Internet browser updated. Vulnerabilities in browsers are regularly discovered. Hackers know that people don’t like to update their software, so they review recent vulnerabilities, create exploits for them, and it allows them to infect all out-of-date browsers. An up-to-date browser is the best defense against malware infection from websites: when you see an update available for your browser, update it!
- Keep your operating system updated. Same as your browser, a vulnerability in your operating system can be exploited by the website to infect your computer. Whether it’s Windows, MacOS (less often a target), or Linux (rarely a target), always keep it updated. Turn on the automatic updates and don’t procrastinate on authorizing them.
- Browser extensions can be exploited too. They are installed on your browser and as a result have a lot of access to your computer. Some extensions can contain malware, so only install trusted extensions. Some extensions may be clean and legit, but may have vulnerabilities that can be exploited. There isn’t much you can do about that; a good rule of thumb is to minimize the number of extensions you install to the strict essential.
- Avoid visiting R-rated and pirated software websites. No moral judgement here, but the “shady” areas of the Internet are where malware are more common. If you still want to access R-rated content, stay with the more renown websites, they are usually safer.
- Install third party malware protection. It’s debatable whether antivirus are worth the cost, now that Windows has its own “Windows Security” that’s pretty effective. But if you’re afraid of malware, you can explore that option. For an individual, I typically don’t recommend an antivirus. Keeping your software (browser, operating system) updated is much more important. For a small business, an antivirus solution can be useful, especially for features that allow an easier administration of an internal network’s security.
The other way a website can install malware on your computer is by simply asking you — or rather, by tricking you into installing it. There are many trickeries a website can use to get you to install it. Most of them involve the website “explaining” to you that you need to install a piece of software (= the malware) under the guise of some important update or fix to a problem they have detected. The possible scenarios the website will invoke are only limited by the hacker’s imagination, but here are some examples:
- Fake Plugin Update. The website claims to detect that you are missing an essential plugin from Microsoft/Apple/Adobe/[Enter any other trusted name here] that you need to install before you can continue browsing the website. It may disguise itself as an “Flash Player Update”, a “Video Codec”, a “PDF Viewing Plugin”, etc.
- Fake Antivirus Scan. The website mimics an antivirus scan and pretends to find some virus/malware on your computer. In order to fix it, you must download their “virus remover” software.
- Fake Rewards and Giveaways. The website claims a reward from a trusted brand is waiting for you (e.g. Amazon gift card). To get it, you just have to download their app and launch it.
- Other Game, App, Etc. Any other pretext can be made to convince you to download a file and run it. A Minecraft update, a Microsoft Word extension, a cool new app… whatever the pretext, assume it’s malware unless you trust the website.
Website trying to steal your login credentials
A phishing website trying to steal sensitive information such as login credentials are unfortunately pretty easy for a hacker to create. They trick you by impersonating another website you trust, and they can be a pixel-perfect replica of the real website. You cannot rely on how a website “looks like” to determine whether it’s legitimate.
The best way to identify whether a website is legitimate it by looking at the URL in your browser.
The real Amazon sign-in page
A phishing site mimicking the Amazon sign-in page
When comparing the real and the fake Amazon page above, there is no discernible difference in the content of the pages. However, the URL is not the same.
The URL of the real Amazon page shows the expected domain amazon.com and the lock icon in the browser (Chrome in this case) certifies that the website’s identity has been verified by a trusted third-party authority, and that the connection is securely encrypted.
The URL bar in Chrome for the fake Amazon page does NOT display the lock icon. It means the identity of the website has NOT been verified by a trusted third-party, and the connection is NOT encrypted.
In addition, the domain looks like Amazon’s, but is spelled arnazon.com, with rn instead of m.
Verifying the URL of the website you’re on is the easiest and most effective way to identify a fake from a real website. It is technically possible for a hacker to change the URL in your browser (it’s called “DNS spoofing”) but it requires access to your computer first, in which case you’d have bigger problems. For all intents and purposes, it is so rare that you don’t have to worry about it. You can rely on your browser’s URL bar.
Tools Against Phishing Emails
The tools and services you use may be able to offer some protection against phishing. No tool can replace human awareness, and surely no tool can guarantee 100% protection against ever evolving phishing techniques. But they can provide a fail-safe mechanism when you’re distracted and make mistakes.
For individuals, I would simply recommend using a modern, reputable email service like Gmail, Hotmail/Outlook, or Yahoo. These tech giants are not the best for privacy, but they’re strong on security. They have the know-how and resources to develop anti-phishing features as part of their email service. It’s far from perfect, but it’s better than using your ISP email service (e.g. Comcast or Cox email), or other smaller email services. You may prefer a different email service for other reasons, but against phishing the big ones are the best ones.
Optionally, opt to access your emails via webmail (e.g. via gmail.com for Gmail) instead of importing your emails in an email client on your computer (such as Apple Mail or the Windows Mail app). The web applications get updated more frequently and are likely better at detecting new threats, including notifying you if an email looks suspicious.
For small businesses it’s more complex because it’s not enough for you to defend against phishing; you need your colleagues to do it equally well. Furthermore, employees are more susceptible to receiving spear-phishing emails, which are harder to detect. So you may want to consider extra security to make your environment more fool-proof. Here are some tools to consider:
- Use reputable cloud email providers for businesses, in particular Google Workspace (see Google’s anti-phishing features) or Microsoft Exchange Online (see Microsoft security features). It won’t prevent your employees from ever falling victim to a phishing email but they provide a solid environment with some fail-safes.
- Sign up for a dedicated anti-phishing service. These services are not free, but if you’re going to spend anything on your cybersecurity, it should probably be against phishing as it’s the most common threat.
- Microsoft Defender for Office 365. Microsoft offers an additional security service against email-based attacks that integrates with the Microsoft suite. Exclusively for Microsoft Exchange Online.
- Avanan anti-phishing software. Avanan integrates with your Google or Microsoft email inbox and adds an additional layer of AI-based protection against phishing attacks. It’s affordable and user-friendly. Provides an admin dashboard.
- Cofense Phishing Detection and Response. If you want maximum protection, Cofense offers a heavy-weight phishing protection. They mix AI detection and security professionals to identify and mitigate phishing attacks as they happen.
- Employee training. Ok it’s not a tool. But as much as unaware employees are the biggest weakness against phishing attacks, trained employees are your best defense. While the tools above are mostly technical, Cofense also offers phishing awareness training to your employees.
Conclusion: There Is No Way Around Learning
Once you know how to recognize phishing emails, it is usually not difficult to detect them. Then the risk mostly comes from acting too quickly, without double-checking that an email is legitimate, and making mistakes. It’s important to develop a bit of a “spider sense” when opening new emails, and most importantly not to assume that your inbox is a secure place. When an email requires you to take some kind of action — clicking a link or downloading a file — it’s time to double-check the sender’s email address, and assess whether you trust it.
Keeping an eye out for phishing emails should be considered part of your regular security hygiene. Just like locking your car or your front door, you want it to become a habit.
If you fall victim to a phishing attack and get your login credentials stolen, you might have given the hacker full access to your account. A simple security measure to prevent them access even with your login credentials is to enable 2-factor authentication for your important accounts. If you haven’t yet, I recommend it as your next step: A Simple Guide To Using Two-Factor Authentication (2FA).
More examples of phishing emails:
- Phishing.org — Phishing Examples
- Tessian.com — How to Catch a Phish: a Closer Look at Email Impersonation
- Hooksecurity.io — Phishing Email Examples
Attribution for icons used in the making of the “Anatomy of a typical phishing attack” diagram:
- Malware icon: created by Vectorstall.
- Botnet icon: created by Amethyst Studio.
- Crypto mining icon: created by Frühstüc.
- Ransomware icon: created by Start Up Graph.
- Website icon: created by Julynn B.