Phishing occurs when a third party, usually a malicious hacker or website, uses a company's brand identity to corner a user and expose private information.
There are two types of email phishing:
- Phishing messages arriving to you
- Phishing messages that come from from you
Phishing emails take advantage of legitimate business brands to implant malware in an attachment or download or obtain login credentials. Phishing remains the primary method of obtaining credentials for attacks. You must know how to protect yourself, your users, and your business against phishing.
Identification of phishing emails
Hackers and phishing groups are constantly changing their patterns to improve both their targeting and the effectiveness of their emails in exploiting users, but there are some common characteristics to every phishing email.
Why would I care if the phishing is "from" my domain?
Put yourself in the shoes of your customers, partners and suppliers. If you received an email that appeared to be from one of them, but it turned out to be phishing, would you still trust them? Would that erode their brand on your mind? Are you more likely to check your legitimate emails for errors, problems, and threats? Phishing with your domain hurts your brand, even when your customers know you are not responsible! Additionally, phishing puts the delivery of your email at risk. Increasingly, email inbox providers like Google, Yahoo! and Outlook.com looks at the domain an email is coming from and what the reputation of that domain is on their systems. If your domain name has been used for phishing, then all of your emails may come under additional scrutiny. If not controlled,
How do I recognize the phishing of my domain?
Occasionally, email recipients will ask you directly "Did you send this email?", But by then, it is too late. Phishing emails are like cockroaches - seeing one potentially means hundreds hiding in wood. Without adopting three new technologies (ish), you really can't know when your domain is being used for fraud and phishing. The technologies you need to think about are SPF , DKIM Y DMARCand each works together SPF lets you tell the world who can send emails on your behalf, DKIM lets you digitally sign your emails, and DMARC lets you designate an email address to receive feedback on your email, among other things . Once you have the SPF and DKIM settings for most of your email, you can get feedback on your email through the email address on the DMARC record. Each email inbox provider (Google, Yahoo!, Outlook.com, etc.) will provide comments containing to all that send emails for your domain, legitimate and phishing, they received. You will want to analyze the comments to identify the IP addresses and domains that are not legitimately connected to your business.
How do I stop phishing with my domain?
Here again, SPF, DKIM, and DMARC are important technologies to understand. IP addresses and domains that fail to align or authenticate with SPF, DKIM, or DMARC are likely candidates for phishing scams. However, these can also be legitimate senders that are misconfigured or not included in your SPF. You will need to research each one to determine its legitimacy. Once you are sure you know who is legitimate and that they are passing SPF, DKIM, and DMARC controls, you can start informing inbox providers what to do with email that does not meet these controls. DMARC allows you to set the steps that a recipient should take with email that is failing SPF, DKIM, and DMARC checks:
- None - Do nothing
- Quarantine - Put this email aside and tell me you quarantined it
- Reject: Bounce the email completely
Your DMARC record also allows you to set the percentage of traffic subject to these rules, from 0 to 100%. This level of granularity is important to allow you to control how quickly you move all of your emails into a rejected state. This way you can test to see if legitimate email is affected without negatively impacting your business. Once you reach a 100% reject policy, you are filtering all phishing using your domain.
Phishing emails leverage a strong brand
In the example to the right, the 'From' email address used Paypal, but I've seen it with many big brands, especially in the credit card, financial, banking, and insurance industries. Ask yourself: do you really have an account? Is this the email address for that account? Have you done anything with the account lately?
The 'From' domain and the return path domain will not match
It is relatively easy to spoof a "From" address. The Email Rules allow third party email senders to send email on behalf of another domain; otherwise, inbox providers like Google and Outlook.com or bulk mail providers cannot send emails for the business or personal domains they host. If "From" and Return Path do not match and the Return Path looks random or shady, it is very likely that you have a phishing email. Also, most companies will not use a third party to send important account information emails like the one above, but rather their own internal servers. Check the Return Path email address in the header to see if it looks legitimate.
There is an attached file
If you have to download something that you did not ask the company for, it is likely a phishing email and may contain malware. Even PDFs or DOCs can contain malicious payloads. At the very least, they try to induce you to think that your fake document is valid so that they can obtain personal, private or financial data from you. Do not download attachments that you have not requested.
There is a sense of urgency
The email will ask you to "act soon" or it will cost you money. This sense of urgency makes you react before you think. Take a breath before you act on any emails that look really important.
Links on the page go to a different domain
Often times, a phishing email will include a link to a third or fourth domain or just an IP address. The goal here is to get you to unexpectedly click on any link so that they can improve the information and get your information when you try to log into your fake website. Sometimes domains even look like subdomains or related domains. Always check the links before clicking on them. When in doubt about any links, open a clean window and navigate to the company's website and log into your account from there to verify the problem.
Quality varies
Some phishing emails, like the one above, look good on the surface. For example, the logos look correct, the fonts and color scheme are appropriate, and some of the language is even straight from legitimate emails. However, when you read further, you may see spelling errors, grammatical errors, or other areas where it is clear that the writer was not a native English speaker. Notice above that "DeLL" is not spelled correctly and the phrase "Isn't this you?" Appropriate English. Take a moment to read the information presented in the email and check for grammar and spelling.
