Senit Lutgen is a student in the Winter 2023 Cohort of our Cyber Defense Analyst Bootcamp. Below, he details some of the tell-tale signs that a phishing attempt is masquerading as a legitimate email. This post was originally published on his LinkedIn page.
This is a little gem that we got recently. It was pretty obvious to us that it was not legit.
However when I first saw it, I thought these cyber-crooks had done a pretty good job. Nah! But, why did I think that?
🎯 The Problem
Humans can understand error laden written communications. It may annoy us, but it doesn’t stop us. Add in an emotional distraction that is demanding urgent action, and we have a recipe to get scammed.
So, when I took just a few minutes to actually read this email, I was amazed at how bad and obvious it really was.
🔑 The key is to slow down and focus. Pretty simple right? But not something we like to do in our busy lives.
⚙ New Rule
Program a new rule into your brain.
Anytime you get an email that begs or demands urgent action and/or that has an emotional element (anger, surprise, fear…), take a breath and slow down.
Set your mind to the hypothesis that this email is illegitimate and then work toward disproving that. If you cannot disprove that to your satisfaction, then don’t take that hook!
Also, does it really matter if you take 5 to 15 minutes to investigate before acting? Probably not!
Do not click any links or call any numbers. Certainly, never enter or provide any information at this stage (if at all). If you really cannot help yourself from taking action, then do so by using a verified company portal or phone number. Never take action through the email.
🕵️ You Do NOT Have to Be a Cyber Guru
Here are some simple things to examine:
- Did this email trigger me to have an emotional response or to want to act quickly? Then, ask yourself, “would a company really do this to me”? If yes, get a new provider.
- How weird is the “From:” email address? Cyber-crooks use a number of deceptive techniques like using really long nonsensical URLs (email addresses or domains). Sometimes they will use a shortened URL, or they will use the legitimate business name with some hyphenated combination or spelling errors.
- 🔑 The key. A business should make it easy for you to know who you are dealing with.
- Look for misspelled words and poor use of language and grammar. That is not to pick on anyone who’s not a native english speaker. Nonetheless, a legit business probably has some publishing and communication standards.
- 🚩 If you see strange characters used to spell words in a URL, that is a gigantic red flag.
- ⚠ HOVER - BUT DO NOT CLICK - you can hover over any links to see if they look legit.
- Ask yourself, “what does this email want me to do, and why would a criminal want me to do that”?
🏁 The Easiest Thing To Do
Just never take action or click on any of the links in the email. Only take action through trusted sources (phone numbers, emails, and web pages) that you know are legitimate.