One of the most utilized cyberattack weapons is email. Techniques are becoming more sophisticated and harder to spot.

Two common and simple guidelines you can follow to prevent malicious actors from accessing your or your client’s data are:

  • Do not open attachments or click links from untrusted sources.
  • If you trust the source but the email looks unusual or you are not expecting an email, contact that individual to confirm they sent it.

There is a third guideline that requires a bit more work on your part:

  • Check the email “from” address carefully to make sure similar looking characters are not being used to trick you.

Tricky Sender Email Address

That third phishing guideline requires some explanation. Bad actors can manipulate the “from” line, the date and the content of an email. They can make it look like the email is coming from a legitimate source. However, tricks such as replacing the “i” with other characters in the email domain of “windows.com” can fool you. For example, using uppercase I, lowercase l or the number 1 looks like this: wIndows.com, wlndows.com, w1ndows.com.

One of the latest scams comes from the domain paypaI.com. It looks like it comes from Paypal, but the last letter, which is supposed to be a lowercase l, is really an uppercase I. Most people can’t tell the difference in the address header. So the real Paypal is not sending this scam email.

Some email addresses are using legitimate names in front of the real domain extension, such as mail.windows.com.fakesite.io and customersupport.google.servlce.ru.

And then there is blatant use of a real name, including improper spelling, hiding behind a strange email address. Here’s a recent example:


Screenshot of a Microsoft Office 365 address header as an example of phishing


More examples of tricky “from” addresses in “Six Tips To Avoid The Phishing Net”

Spam and Phishing – What’s the Difference?

There are two main categories of fake or malicious email that need to be distinguished when you are trying to practice safe emailing. They are spam and phishing.

Spam

Have you received fake emails from friends that ask you to download a file? Have you received emails from people in space who are trapped, a security firm has their money, and the only way to get the money is by you contacting a prince and paying the unlock fee to the fortune? You know, the weird ones.

This spam could have files attached with malicious code in it that will execute when you download and open it. They may also have links that, when you go to the website, execute malicious scripts to infect your computer or make it vulnerable to attack.

Phishing

The category of phishing can be described as when a malicious actor sends an email, purporting to have legitimate purpose, possibly even from a legitimate company, to trick the recipient. The goal is to gain information from the target of the email into giving information that they should not reveal, such as login or personal information.

If you are unsure of the sender of the message or if it does not look like the type of e-mail the sender usually sends, contact them the most trusted way you know possible.

  • If you know the person who supposedly sent the email, call them on the phone or ask them in person.
  • Report malicious emails to major retailers; most have a process to receive reports like this.
  • Use a search engine to find the company and then call or email to check if it is legitimate.
  • Call a company’s customer service phone number and ask if the email is valid. If they have the means, the retailer can escalate the issue to their internal information security team.

Here’s a scenario. You order something online and the package is expected to arrive two days later. You get an email, vaguely stating you have a package waiting for you and to contact a number or click the link to fill out a form. Instead of clicking the link or calling a number, check the initial confirmation email. Use the confirmation number to check your package status at major shipping companies. You could also call the company where you bought the item and tell them what is happening; they should be happy to help you.

Learn how Garnet River’s security awareness training programs can help turn your employees into the front line of defense against phishing.

Do Not Reuse Passwords

Imagine a database, ever growing, of all the username/password pairs that have ever been leaked to a malicious actor. The database is used on every website, one record at a time, checking … checking … checking to see if one of their pairs will work to gain access.

This is not how hacking works. Hackers usually have smaller databases, but they are the most popular databases in their world, and they use automation to check them against the most popular and lucrative websites.

If you regularly change your passwords, it is unlikely the malicious actor will catch up with you. The information in the stolen (or purchased) database is outdated if you change your passwords regularly. And if you don’t reuse your passwords.

The username and password for one website should never be the username and password for another. Some sites want you to use your email address as a username, and you probably use your email address as your username on many sites. Do not, however, use on website A the same password that you use on website B.

Remember that convenience is not security for you. You give information, such as your email address, to companies so that they can conveniently communicate to you. However, that information can be sold to spam companies. Suddenly, you are hit with more email than you expected. And if the spam company is hacked, your contact information is leaked again.

Final Thoughts

Do not let ANY sender dictate your actions. They are looking for something. You don’t have to contact them the same way they contacted you. Do not expect to avoid EVERY phishing attempt. That is why there are methods in place to help keep your security up-to-date. For example, change your passwords often. If you accidentally enter your information on a website that is malicious, change your password immediately.

Change your passwords often and don’t use the same ones on multiple sites.


Ryan C. Rose, MS, is a Information Security Consultant at Garnet River. He has worked in governance and policy creation, academic technology, and higher education.