Anatomy of a Phishing Scam

5 min read


Avoid Being Tricked By The Automated Army Of Hackers

Anatomy of a Phishing Scam
THIS GUY just clicked on an email he shouldn’t have… Photo: Ayo Ogunseinde on Unsplash

Part I: Identifying the Problem

“Phishing” is the practice of fooling unsuspecting people into voluntarily giving away their most sensitive data—user names, passwords, social security number, birth dates, and more—by disguising their communication requests to look authentic. Given how easy it is to digitally copy a corporation’s official communication template, this problem is actually far worse than you could ever imagine. Hackers leverage the power of computers to automate sending phishing scams. Hundreds of millions of phishing emails are sent every day for pennies and only a small percent need to work for the system to be rewarded. And rewarded it has been.

  • In 2016, 85 percent of all organizations had suffered phishing attacks and 30% of all phishing emails were opened.
  • In 2017, fake invoicing emails sky-rocketed, CEO fraud emails total $5 billion in losses, and phishing emails that targeted people filing their W-2 forms increased 870%.
  • In 2018, fake invoices becomes the #1 disguise for distributing malware, Dropbox phishing scams surge and DocuSign lures are the most effective.

Not enough? The following statistic will blow your mind:

By the end of 2017, the average user was receiving 16 malicious emails per month.
—Symantec, from the company’s 2018 Internet Security Threat Report

Given how bad the digital landscape is right now, I thought it was time to let folks know how best to protect themselves from this kind hacking.

Part II: How Phishing Looks in Email

Anatomy of a Phishing Scam
Just because something looks familiar, doesn’t mean that it is.

Most phishing attacks are designed to do one thing very well: fool you. Specifically, they’re designed to fool you into thinking that you’re going online to do the things that you normally do, such as logging into Facebook, Amazon, Google or Apple. The cunning ones are designed to make you believe that you’re logging into your bank or credit card website.

The problem, of course, is that you’re not actually doing these things: instead, you’re logging into something that only looks like your favorite social media or financial websites and, without realizing it, providing your username and password to a “front” website operated by hackers who collect your data and use it to take advantage of you and others.

Pictured above are three examples of what a typical phishing attack can look like. But those are just examples from the interwebs: let me show you something from my own email inbox, ok? Here’s something I just got yesterday and lucky me: I’ve won a prize! From Google, no less! I’ve made the image quite large, so you can see the some of the obvious signs that this a phishing attack. You’ll note that I made use of the button in gmail — in the red box at top left — that allows you to “show details” about any email you receive.

Anatomy of a Phishing Scam

Strike 1: In the green box at the top, you’ll note that the actual email address doesn’t look recognizable or like a valid Google email address. RED FLAG!

Strike 2: In the pink box at center, you’ll note that the URL doesn’t look standard, recognizable or known. RED FLAG!

Strike 3: In the orange box, you’ll note that whoever sent this email didn’t proof for proper grammar. That rarely happens with corporate emails. RED FLAG!

Strike 4: In the blue box, you’ll note that the website that delivered this email has the word “bounces” in it.

Strike 5: When I copy and paste the website into DuckDuckGo to see if it’s a valid Google site, I see clearly (below) that it’s not.

Anatomy of a Phishing Scam

Final analysis: I’m not clicking on anything this email is offering.

Part III: Prevent Phishing via Email Using “Best Practices”

Here are the rules (or best practices) you should implement to help prevent a phishing attack:

  1. Always confirm that every email comes from a valid, known or recognizable email address. The name displayed on an email isn’t an accurate indicator of the true sender: always double-check that the actual email address is correct. Phishing attacks sometimes contain the names of people we know because their address books (or ours) have been compromised. Those real names are then
    paired with bogus email addresses in an attempt to fool us. If any email address is unknown or odd-looking, send it to spam. Don’t worry about trashing something important: the important people in your life know how to contact you by other means.
  2. Never click on any link in any email, without first confirming that the URL is a valid, known, standard or recognizable website. Right click on any link to bring up a contextual menu to copy it; then paste it into a text editor. If the link doesn’t look valid, known, standard or recognizable: trash the email or send it to spam. For more info, search for the URL on DuckDuckGo to confirm it’s been indexed and known by a valid search engine.
  3. Never open any email attachments from any person that you weren’t already expecting. Your co-worker tells you she’ll be sending over the code for that new software application you’re coauthoring. Great! You know it’s coming and have cause to expect it in your inbox. Someone else sends you a Microsoft Word document and says “Check this out!”? Don’t open that attachment. Instead, text or call the person and confirm they’ve sent you that specific attachment.
  4. Always confirm that any email you receive from any online service that you use is valid. Get an email from Dropbox, Amazon or Apple asking you to log into your account? No problem: first prove that the emails are valid. Check the URL, sender email address and subject lines for anything suspicious. If you’re still unsure, log in to the service via their known, valid website.
  5. Only click on any email links that include the “s” in “https://”. That “s” means that the website is secure and has a certificate of security to back it up. These certificates can, themselves, be spoofed but it’s one indication that the website may be valid. Clicking on the “Secure” indicator in most browsers (Chrome is shown here) will reveal this certificate.
Anatomy of a Phishing Scam
An example of a secure site with a valid Certificate.

Some of the tips above will bother you — some slightly, others more so — because they’ll make email less convenient. I won’t apologize for that: convenience without security equals danger, something we should all remember. That being said, there are a few ways to help automate this process if you feel the above list is too difficult for you:

  • Use multi-factor authentication. I discussed this in an earlier piece and can’t recommend it enough. If multi-factor authentication is enabled, even If attackers were to ever gain your username and password, they’d still need a rotating, six-digit code to proceed which appears only on your cell phone.
  • Use Slack instead of email. Some of you know about Slack, others might not. It’s a communications tool that combines email, chat and discussion boards all into one. Individuals and companies both use slack. Corporations who pay to use it require all users to log on with valid credentials. That means — generally speaking — that it’s safer to open documents from your co-workers on Slack than it is via email.
  • Only check email in a VM. This one takes work but is far safer than the alternatives. I keep several easy-to-open virtual machines (or VM’s) on my computer. Sometimes, if I’m wary about a particular email, I might open that email inside of a VM. Then, if there’s any damage done to the operating system or other software applications, I can either delete or reset the VM with no damage done to my actual computer. A 100% free VM can be set up using Virtual Box and the Ubuntu operating system, which is built on the open-source Linux platform.

Also, did you check those last two links were valid and secure before clicking on them? Hmm? Remember: trust no one, not even me, my friends.

Learning how to spot a phishing attack only takes a few minutes. Daily practice will make you more knowledgeable, more quickly. Then, once you’ve become a master yourself: share your knowledge with others. Make sure your friends, family and coworkers learn these best practices. You’ll be saving money, embarrassment and lost time for who know how many people.

Of course, let me know in the comments section if you’ve got a better tool or tip that the rest of the community should know.

Until then, friends…

Surf safe!

David Koff David Koff has had a successful and incredibly fun dual-track career in both technology and the arts for about 25 years. He's got a love for the analytical side of technology from coding to problem-solving. He's also an accomplished performer and teacher of improvisation, a life skill that he believes all humans should study for some amount of time.

4 Replies to “Anatomy of a Phishing Scam”

  1. Wow, marvelous blog format! How long have you been running a blog
    for? you make blogging look easy. The entire glance of your website is
    fantastic, let alone the content material!

  2. Hello i am kavin, its my first time to commenting anywhere, when i
    read this article i thought i could also make comment
    due to this brilliant post.

  3. Phishing is the biggest threat to this computer world so it is very essential to keep secure yourself from the phishing attack that for that you should have a proper idea about it.

  4. Phishing is the biggest threat to this computer world so it is very essential to keep secure yourself from the phishing attack that for that you should have a proper idea about it.

Leave a Reply

Your email address will not be published.