I know what you’re thinking, dear reader: “No, not another ‘how to recognize phishing’ blog that recounts the same old tips I’ve seen a hundred times before.” Well, my sysadmin friend, I respectfully say that just this once, you're mistaken.
This blog is divided into two separate sections: tips on how to recognize phishing as an end user — and how to do this as a sysadmin using more advanced tools, such as Domain Dossier and VirusTotal.
But before we get nerdy about phishing, let’s start with the basics.
What is phishing?
Phishing is a social engineering attack that simulates communication from legitimate companies or sources to trick you into giving up your personal information.
It’s a plague on business operations, too. According to IBM’s Cost of a Data Breach 2024 report, phishing and stolen credentials were the most common initial attack vectors among all data breaches at organizations. And even worse, the average cost of a data breach is at an all-time high: $4.88 million.
How to spot a phishing attempt
Not sure if an inbound email or text is a phish or a friend? Here are some tips on how to spot a phishing attempt.
Look for typos and other inaccuracies
Today’s cybercriminals are stealthy and smart. They’ve gone phishin’ enough times to know what works and what doesn’t. And they also know who’s most likely to fall for a phishing attack.
And that’s why they purposefully include typos and other content inaccuracies in their phishing email and text message campaigns.
The security community has publicly laughed at so many phishing messages riddled with bad grammar and spelling. And even folks with a keen eye for copy have joined in on the laughter. Threat actors know that targeting these people with their phishing attacks is a waste of time. These savvy users are too busy laughing over poor spelling and grammar.
Instead, hackers set their sights on more gullible people prone to overlooking those mistakes and reacting to an urgent request.
When you get a new email, look at the sender, the email address, and the text of the email itself. When you get a new text message, see if the number looks familiar, and take a thorough look at the text itself. If you see typos, grammatical errors, or transposed letters, you could be staring a phishing attempt in its ugly face.
Examine the tone
And speaking of a sense of urgency, that’s another telltale sign that you’re the target of a phishing attack. I get it — Netflix wants its $̶1̶9̶.9̶9̶ $22.99 for the month. But marketing and customer service teams know better than to urgently request payment. You may get a reminder that your bill is due, but it won’t reek of a life-or-death emergency.
I have a friend in cybersecurity who conducted a simulated phishing campaign on a local school district’s employees. He knew open enrollment for insurance was almost over, which made for a perfect topic for his campaign.
He grabbed a list of all employees and used social media to try and guess which employees had children (i.e., introduce more urgency because children were involved). He sent a targeted phishing email (known as spear phishing) to all employees he suspected were parents, stating that their enrollment had an error, and if they didn't act soon, their dependents wouldn’t be eligible for coverage (i.e., creating the ultimate sense of urgency).
The response rate for this simulated phishing email was abnormally high, thanks to the targeted nature of this campaign as well as a sense of urgency to act before time ran out.
Identify and verify the sender
An email or text from a name you know isn’t automatically safe — even if the “from” name is your dear, sweet Aunt Betty.
It’s unfathomably easy to create an email address with any name you’d like to display as the sender — and nothing’s stopping someone from texting and saying, “This is Aunt Betty with a new number. Send me $3,000.” And cleverer hackers can even use Aunt Betty’s real phone number to target you.
Be sure you check and verify all email addresses and phone numbers, especially if the communication requests you take action. Verify that the sender is who they say they are. If it’s Amazon, navigate to amazon.com and fire up a chat to confirm the communication is legit. And if it’s Aunt Betty, call her at her old number and ask her why she thinks you’re made of money.
Use common sense
I know — but think about it. If you didn’t order anything from Amazon, why would they send you an invoice? If you aren’t expecting a package, why would USPS send you a tracking link? And if you don’t have a Netflix subscription, why would they request payment?
Using common sense can be difficult when threat actors are skilled at creating urgent situations. It’s easy to forget to stop, breathe, and think before acting. But it’s critical to do just that to avoid falling victim to the latest phishing scam.
Reduce your attack surface in a few clicks
Looking for more ways to improve your security posture? Try PDQ Connect, and remediate vulnerabilities in seconds.
Examples of phishing attempts
Here’s the fun part. I asked my fellow PDQTs to share some phishing attacks they’ve been targeted by — and they didn’t disappoint.
I’ll go first.
1. The CEO bait
For those of you who don’t know, Dan Cook is our CEO at PDQ. I like the guy, but we’re not really on a texting basis — and I can't envision him “signing off” on a text with his full name. (He’s more of a “catch ya later” type of guy, I think.)
And here’s my last question. Why is he texting me with a New York-based area code when he’s been in the greater SLC area since practically forever?
2. The “Are you serious, HR?” bait
This email is a more blatant attempt, but let’s humor it by asking a few common sense questions.
What is “Pdq Software Inc”? As the Ting Tings once sang, “That’s not [our] name.”
Why would our vacation policy be posted publicly on our website?
Since when do we have an HR department? We have PeopleOps, not HR, at PDQ.
Why would vacation policies change because of COVID-19 — let alone in August 2023?
Perhaps most importantly, why is this email coming from “hr@account-policies[.]com” and not from our PDQ domain? Also, note that while the email address was displayed for me here, you can usually hover over the email address in an email to see the sender’s real address.
That’s gonna be a “report as phishing” for me.
3. The “We tried to deliver this thing you didn’t even order” clone phishing bait
This text has so many red flags. Let us count a few of the ways:
Since when does USPS text from a phone number that starts with the UK international code +44? (There’s a United Kingdom vs. United States joke in there somewhere, but I’m sure our HR department that emailed me and doesn’t exist wouldn’t want me to make it.)
The link doesn’t even make sense. The actual USPS exists online at — wait for it — usps.com, not at a .shop domain.
This text has a lot of inconsistent punctuation — another telltale sign that this is a phishing attack in the works.
So, what happens when you click the link? Glad you asked. (And don’t worry, I didn’t actually click it — more on that in a bit.)
It looks pretty legitimate, right? Unfortunately, if you were to enter any sensitive information here, you’d hand it right over to threat actors.
Ready to make hackers work harder to gain access to your environment?
Here are 8 ways to protect your business from phishing.
Tools for investigating phishing attempts
It’s time to nerd out over some valuable tools that can help you investigate phishing scams. My three favorite tools are urlscan.io, VirusTotal, and Domain Dossier.
urlscan.io
urlscan.io is one of my favorite tools because you can visit where a link would take you without actually clicking it. (This is how I grabbed the screenshot for the malicious link that USPS supposedly sent.)
Scanning a URL using this tool is neat because it gives you good community info. Below is a screenshot of what happened when I ran the malicious top-uscc[.]shop link.
You can see a lot of detailed information using this tool, such as the originating IP address, HTTP requests, DNS records, and any redirects that happen on the page. And you can even see how many times other users have scanned the URL.
And thanks, Google Safe Browsing, for flagging this page as malicious.
VirusTotal
VirusTotal is a tool you can use to scan files and URLs. It uses intelligence from the leading security vendors and community-submitted data, noting which vendors have flagged files (via their hashes) and websites as malicious.
For consistency’s sake, let’s revisit our old friend, top-uscc[.]shop:
Shady, shady stuff going on here.
I love the community aspect of VirusTotal. If you click the Community tab, you can see user-submitted comments, which are particularly helpful when dealing with a malware sample. Users and researchers can leave a comment to let the community know what the malware did once it was detonated in an environment — and how to mitigate it.
Domain Dossier
Domain Dossier is a tool from CentralOps that lets you see reports from public records regarding domain names and IP addresses.
This tool can initially feel like information overload, so let's break down some critical tidbits of information we can gain from it.
First things first, we can see the IP address attached to this domain. We should also be able to see the Whois record, but in the case of this website, the server is busy. That is a red flag because guess whose Whois data could be returned immediately? That’s right: USPS’s.
When investigating a phishing attempt, I use these three tools in tandem. As an investigator, I trust data more when I can verify it through several sources. I don’t want to flag a false positive — and I definitely don’t want to accidentally flag a phishing scam as legitimate. But if all three of these tools return negative results, there’s a good chance you’re dealing with something that’s at minimum suspicious — but at worst malicious.
How to get your end users to care about phishing
I refuse to bore you with a laundry list of ideas to help your end users recognize phishing. You already know that all the security awareness training in the world won’t do anything if your end users just don’t care. So, let’s give them reasons to care.
Why business email compromise matters
Business email compromise is a growing threat because these attacks are more targeted than spray-and-pray phishing campaigns. During a business email compromise attack, a bad actor devises a pretext, or a fake story, to lure the victim into sharing sensitive data or downloading malware. Each of these convincing attacks cost businesses around $50,000.
But why should your end users care about business costs? Because more often than not, it’s not just the business’s money and data on the line.
If attackers successfully launch one of these attacks, employees could also have their confidential information stolen, leading to identity theft and other dangers. And, of course, if your business loses thousands (or even millions) of dollars due to business email compromise, it becomes harder or impossible for the business to make payroll.
And those are pretty good reasons why your end users should care about business email compromise.
Why multifactor authentication matters
I’m going off script here to say that as an end user, I dislike multifactor authentication. I really do. I want to be able to just type in my password and get going. But because I understand the why behind it, I’ll take a few extra seconds to safeguard my company’s (and my own) data.
Even if an end user’s password is compromised, multifactor authentication adds another layer to the log-in process and can halt an attacker in their tracks. Unless your end users approve log-in requests all willy-nilly (pro tip: tell them not to), attackers won’t be able to successfully gain access to their accounts. Even better, end users will get a heads up that someone has recently tried to log in as them. That’s when they should go right to you to report the suspicious activity.
It’s worth mentioning to your end users that multifactor authentication is a great idea for their personal accounts, too. They’re already in the habit of using it at work. Using it at home gives them an extra layer of protection in their personal lives, too.
Why reporting successful phishing attempts matters
If one of your end users falls victim to a phishing attack at work, what kind of culture have you created for them to tell you?
Turns out, this is a question more IT and cybersec pros should ask themselves. In a simulated phishing exercise involving 1,000 end users, 20% of users clicked a phishing link — but only 7% of them reported their action to the help desk. Why? Because they’re afraid of negative outcomes, don’t want to be embarrassed, and they may not even understand the seriousness of cyberthreats.
The culture needed to encourage end users to report phishing starts with you. Empower your end users to report suspicious activity — even if it means having to confess to falling for a phishing attack. Let them know that the sooner they report it, the more likely it is that you can act and prevent threat actors from doing a ton of damage.
In short, let your end users know it’s okay to mess up. We all do. What's not okay is failing to let the IT team know about it.
How to mitigate phishing scams with Microsoft Exchange
One final note for our Microsoft users: Microsoft 365 offers step-by-step instructions that sysadmins can use to help minimize phishing scams in their environments. For example, you can set up a policy that flags emails from outside your network. End users see a box that says “External” on these emails — so even if the supposed sender is a trusted person, the email address itself is flagged as an external communication.
This is one of many steps you can take as a sysadmin to make your end users’ lives easier — which, of course, makes your life easier.
