Cyber Security Blog

How to Identify a Phishing Scam

Written by Zachary Amos | 17 March 2022

Phishing is one of the most persistent cyber threats facing businesses and consumers. These scams are virtually as old as email itself, but they’ve remained effective despite considerable cybersecurity advancements.  

Thankfully, as cybersecurity awareness has improved, more people now know how to spot a basic phishing scam. Looking for spelling errors, not trusting unknown email addresses, and being wary of overly urgent messages are standard practices.  

Despite this, phishing remains the most common attack by far, and it’s an effective one, too. In fact, many large-scale ransomware attacks begin as phishing scams. Let’s find out how phishing attacks continue to scam people and how to identify increasingly advanced scams.

Phishing Attacks Have Grown More Complicated

Part of the on-going success of phishing attacks comes from the fact that they’re becoming more complex. The obvious “Nigerian prince” scams of the past are no longer representative of the current threat landscape.

In Q2 2020, 77.6% of phishing websites used SSL encryption, which many users look for as a sign of legitimacy. Similarly, 91% of these attacks hack legitimate websites to take their domain validated (DV) certificates. These certificates then make the attacks carry the mark of a validated, authorized business.

 Clone phishing has also grown more popular. In these attacks, scammers copy a legitimate email to send an exact replica with the link swapped out for a malicious one. If phishers hack into the legitimate sender’s account, there will be no immediate sign that it’s a scam.

Spotting Advanced Phishing Scams

Phishers have become more careful about ensuring their messages don’t look like scams. In many cases, it’s virtually impossible to tell that what you’re reading may be a phishing email without more advanced inspection. Considering how 22% of surveyed employees don’t feel obligated to keep their employers’ information safe, that’s a problem.

 

 

While these advanced scams are concerning, they’re still not perfect. Here are four steps to identifying even a complex phishing attack.

1. Analyze Email Headers

If there are no immediate tells, you can check an email more closely by inspecting its header. To see this in Gmail, click the arrow next to “Reply,” then select “Show original.” In Outlook in the browser, the option will also be in the arrow next to “Reply” but will say: “View message source.”

These options will reveal the raw code for the whole email, but the header is just the first text block. Paste the header into an email header analyzer tool like MxToolbox and click “analyze” to make it more readable. The results will show things like a spam score, the email’s source, and the route it took.

Even if an email has a low spam score, it could still be phishing. Check the “Received” field to see the route the message took. If it passed through many sites or some of these have unusual domains, it’s likely a scam.

The “Authentication-Results” box will show which verification methods the message passed. Look for the word “pass” in all the results. If even one of them shows 'failed', don’t trust the email.

2. Inspect Links and Domain Names

Another important step is to inspect any links within the message. Any domain name in the email or the “From” field that varies from an actual company’s name is suspicious, but these checks can go further. Email spoofing is a common tactic where attackers impersonate legitimate businesses, making it crucial to recognize even subtle domain differences. Securing a unique domain name for your business helps establish trust and reduces the likelihood of your emails being mistaken for phishing attempts.

Copy and paste domain names and websites into search engines or an analyzer like DomainTools to learn more about them. DomainTools can show when the domain was created, and brand-new domains are likely fraudulent. Googling domains can reveal if other users have reported it as a scam.

Many cybercriminals use URL shorteners to hide domains, so always inspect these links before clicking on them. Copy and paste them into a URL checker like getlinkinfo.com or unshorten.it to reveal the full URL. If the full address is long, contains many random characters, or has words unrelated to the legitimate source, it’s likely a scam.

3. Look Through the Source Code

If you’re still unsure about an email, you can perform a more in-depth inspection of its source code. Follow the same steps for analyzing the header, but look at all of the source code instead of just the first block.

Use the search feature in your text editor of choice to look for the phrase “http.” This will help you look through the links in the email, even hidden ones. If you see a domain you don’t recognize or that seems suspicious, Google it or put it through DomainTools to inspect it more closely.

Even legitimate emails can contain hidden external links. For example, they may use a third-party email marketing service, which will show up in this check. However, a quick inspection of these links will reveal their legitimacy.

4. Question Even Trusted Sources

Finally, it’s important never to trust any message fully, even if it comes from a trusted source. Many phishing attacks today start by hacking into a legitimate account, such as the recent “Is it you in the video?” scam on Facebook Messenger.

Given the rise in these types of attacks, just because a message comes from a real, trusted source doesn’t mean it’s not phishing. If any message feels off or seems unusual, contact the person by another means to ask if it was them and perform the above steps on the message.

5. Spotting Advanced Phishing Scams

Sometimes, phishing scam tactics go beyond the basic aspects we’ve discussed so far, and you need to take your efforts to defeat them to the next level as well. 

For instance, having a plan for how to respond in the event that a successful phishing attack leaves your website compromised is a must. 

The first step is detecting the breach, which is easier if you have a real user monitoring (RUM) solution in place. Being able to monitor real users effectively and detect suspicious spikes in user interactions with malicious content which indicate that a breach has taken place will put you in a better position to fight back.

Phishing Methods Have Improved but Safety Is Still Possible

While the core concepts behind phishing have remained unchanged for decades, these attacks are far more advanced today than they used to be. Following these four steps can help everyone, from CEOs to consumers to stay safe despite sophisticated phishing techniques. As cybercrime rises, this level of scrutiny may become a necessity.