Email Security: A Phishing Tale

Posted on July 5, 2017 - by Darryl MacLeod - in Building Your InfoSec Program

Email phishing is tricky – it often comes from a sender you already know and trust.

A few weeks ago my wife told me that she got an unexpected email from the Canada Revenue Agency. They wanted to initiate an Interac e-transfer of $980.99 into her account. The alarm bells immediately started ringing in my head.

  • We already received our tax refunds months ago
  • They already have our direct deposit info, so an e-transfer doesn’t make sense
  • It’s just too good to be true

Be Careful Clicking Those Emailed Links

I took a look at the email she received, it definitely wasn’t from the CRA. Being the curious cybersecurity guy that I am, I decided to take the bait and click on the deposit link, in a virtual sandbox of course.

As you can see above, the site is looking for valuable personally identifiable information (PII) that no one should have to provide over the Internet. I used my trusty Shodan browser plug-in to determine that the server resides in Romania. I know for a fact that CRA wouldn’t have an office in Romania!

Without entering any information, I clicked continue.

Chrome warns me one page too late that this site may be suspect. I understand the risks to my security, so I visited the infected site.

Now here’s where things get really interesting. It is looking for information that can cause a world of grief if it fell into the wrong hands. Needless to say, I didn’t enter any information or go any farther.

Delate those emails. Mark them as spam. If you have a company team that collects and analyzes threats, report that to them so they can be on the watch.

The Evolution of Email Phishing

Phishing attacks have been around for years. Financial motivation is still alive and well in these types of attacks. Phishing attacks have also evolved in recent years to include the installation of malware as the second stage of the attack.

How can you protect yourself from phishing attacks? Be suspicious of emails asking for confidential information. Legitimate companies and organizations will never request sensitive information via email. Here are some other tips:

  1. Watch out for generic-looking requests for information. Fraudulent emails are often not personalized while authentic emails from your bank often reference an account you have with it (even authentic emails from your bank will ask you to contact a representative directly). Many phishing emails begin with “Dear Sir/Madam” and some are sent from a bank or an organization with which you don’t even have an account.
  2. Never use links in an email to connect to a website unless you are absolutely sure they are authentic. Instead, open a new browser window and type the URL directly into the address bar. Often a phishing website will look identical to the original — look at the address bar to make sure that this is the case.
  3. Don’t get pressured into providing sensitive information. Phishers like to use scare tactics and may threaten to disable an account or delay services until you update certain information. Be sure to contact the merchant directly to confirm the authenticity of their request. 
  4. Make sure you have anti-malware software installed to help combat phishing.
    Now please excuse me while I respond to an email from a Nigerian prince

Some of these phishing emails are cunning and extremely difficult to identify, even if you are looking.

Does your company have policies about email or a team that tracks phishing incidents?

Get custom information security policies generated for your business in minutes. Securicy guides you through creating, implementing, and managing a cybersecurity program.

Try Securicy Free

About the author

Darryl MacLeod is an information security expert, a Certified Information Systems Security Professional, and a Certified Information Systems Auditor.