I know what you’re thinking, dear reader: “No, not another ‘how to recognize phishing’ blog that recounts the same old tips I’ve seen a hundred times before.” Well, my sysadmin friend, I respectfully say that just this once, you're mistaken.
This blog is divided into two separate sections: tips on how to recognize phishing as an end user — and how to do this as a sysadmin using more advanced tools, such as Domain Dossier and VirusTotal.
But before we get nerdy about phishing, let’s start with the basics.
What is phishing?
Phishing is a social engineering attack that simulates communication from a legitimate source.
It’s a plague on business operations, too. According to IBM’s Cost of a Data Breach 2023 report, phishing was the most common initial attack vector among all data breaches at organizations. And even worse, the average cost of a data breach is at an all-time high: $4.45 million.
How to spot a phishing attempt
Not sure if an inbound email or text is a phish or a friend? Here are some tips on how to spot a phishing attempt.
Look for typos and other inaccuracies
Today’s cybercriminals are stealthy and smart. They’ve gone phishin’ enough times to know what works and what doesn’t. And they also know who’s most likely to fall for a phishing attack.
And that’s why they purposefully include typos and other content inaccuracies in their phishing email and text message campaigns.
The security community has publicly laughed at so many phishing attempts riddled with bad grammar and spelling. And even folks with a keen eye for copy have joined in on the laughter. Threat actors know that targeting these people with their phishing attacks is a waste of time. These savvy users are too busy laughing over poor spelling and grammar.
Instead, hackers set their sights on more gullible people prone to overlooking those mistakes and reacting to an urgent request.
When you get a new email, look at the sender, the email address, and the text of the email itself. When you get a new text message, see if the number looks familiar, and take a thorough look at the text itself. If you see typos, grammatical errors, or transposed letters, you could be staring a phishing attempt in its ugly face.
Examine the tone
And speaking of a sense of urgency, that’s another telltale sign that you’re the target of a phishing attack. I get it — Netflix wants its $̶1̶9̶.9̶9̶ $22.99 for the month. But marketing and customer service teams know better than to urgently request payment. You may get a reminder that your bill is due, but it won’t reek of a life-or-death emergency.
I have a friend in cybersecurity who conducted a simulated phishing campaign on a local school district’s employees. He knew open enrollment for insurance was almost over, which made for a perfect topic for his campaign.
He grabbed a list of all employees and used social media to try and guess which employees had children (i.e., introduce more urgency because children were involved). He sent a targeted phishing email (known as spear phishing) to all employees he suspected were parents, stating that their enrollment had an error, and if they didn't act soon, their dependents wouldn’t be eligible for coverage (i.e., creating the ultimate sense of urgency).
The response rate for this simulated phishing email was abnormally high, thanks to the targeted nature of this campaign as well as a sense of urgency to act before time ran out.
Identify and verify the sender
An email or text from a name you know isn’t automatically safe — even if the “from” name is your dear, sweet Aunt Betty.
It’s unfathomably easy to create an email address with any name you’d like to display as the sender — and nothing’s stopping someone from texting and saying, “This is Aunt Betty with a new number. Send me $3,000.” And cleverer hackers can even use Aunt Betty’s real phone number to target you.
Be sure you check and verify all email addresses and phone numbers, especially if the communication requests you take action. Verify that the sender is who they say they are. If it’s Amazon, navigate to amazon.com and fire up a chat to confirm the communication is legit. And if it’s Aunt Betty, call her at her old number and ask her why she thinks you’re made of money.
Use common sense
I know — but think about it. If you didn’t order anything from Amazon, why would they send you an invoice? If you aren’t expecting a package, why would USPS send you a tracking link? And if you don’t have a Netflix subscription, why would they request payment?
Using common sense can be difficult when threat actors are skilled at creating urgent situations. It’s easy to forget to stop, breathe, and think before acting. But it’s critical to do just that to avoid falling victim to the latest phishing scam.
Examples of phishing attempts
Here’s the fun part. I asked my fellow PDQTs to share some phishing attacks they’ve been targeted by — and they didn’t disappoint.
I’ll go first.
1. The CEO bait
For those of you who don’t know, Dan Cook is our CEO at PDQ. I like the guy, but we’re not really on a texting basis — and I can't envision him “signing off” on a text with his full name. (He’s more of a “catch ya later” type of guy, I think.)
And here’s my last question. Why is he texting me with a New York-based area code when he’s been in the greater SLC area since practically forever?
2. The “Are you serious, HR?” bait
This email is a more blatant attempt, but let’s humor it by asking a few common sense questions.
What is “Pdq Software Inc”? As the Ting Tings once sang, “That’s not [our] name.”
Why would our vacation policy be posted publicly on our website?
Since when do we have an HR department? We have PeopleOps, not HR, at PDQ.
Why would vacation policies change because of COVID-19 — let alone in August 2023?
Perhaps most importantly, why is this email coming from “hr@account-policies[.]com” and not from our PDQ domain? Also, note that while the email address was displayed for me here, you can usually hover over the email address in an email to see the sender’s real address.
That’s gonna be a “report as phishing” for me.
3. The “We tried to deliver this thing you didn’t even order” bait
This text has so many red flags. Let us count a few of the ways:
Since when does USPS text from a phone number that starts with the UK international code +44? (There’s a United Kingdom vs. United States joke in there somewhere, but I’m sure our HR department that emailed me and doesn’t exist wouldn’t want me to make it.)
The link doesn’t even make sense. The actual USPS exists online at — wait for it — usps.com, not at a .shop domain.
This text has a lot of inconsistent punctuation — another telltale sign that this is a phishing attack in the works.
So, what happens when you click the link? Glad you asked. (And don’t worry, I didn’t actually click it — more on that in a bit.)
It looks pretty legitimate, right? Unfortunately, if you were to enter any sensitive information here, you’d hand it right over to threat actors.
Ready to make hackers work harder to gain access to your environment? Here are 8 ways to protect your business from phishing.
Tools for investigating phishing attempts
It’s time to nerd out over some valuable tools that can help you investigate phishing scams. My three favorite tools are urlscan.io, VirusTotal, and Domain Dossier.
urlscan.io is one of my favorite tools because you can visit where a link would take you without actually clicking it. (This is how I grabbed the screenshot for the malicious link that USPS supposedly sent.)
Scanning a URL using this tool is neat because it gives you good community info. Below is a screenshot of what happened when I ran the malicious top-uscc[.]shop link.
And thanks, Google Safe Browsing, for flagging this page as malicious.
VirusTotal is a tool you can use to scan files and URLs. It uses intelligence from the leading security vendors and community-submitted data, noting which vendors have flagged files (via their hashes) and websites as malicious.
For consistency’s sake, let’s revisit our old friend, top-uscc[.]shop:
Shady, shady stuff going on here.
I love the community aspect of VirusTotal. If you click the Community tab, you can see user-submitted comments, which are particularly helpful when dealing with a malware sample. Users and researchers can leave a comment to let the community know what the malware did once it was detonated in an environment — and how to mitigate it.
Domain Dossier is a tool from CentralOps that lets you see reports from public records regarding domain names and IP addresses.
This tool can initially feel like information overload, so let's break down some critical tidbits of information we can gain from it.
First things first, we can see the IP address attached to this domain. We should also be able to see the Whois record, but in the case of this website, the server is busy. That is a red flag because guess whose Whois data could be returned immediately? That’s right: USPS’s.
When investigating a phishing attempt, I use these three tools in tandem. As an investigator, I trust data more when I can verify it through several sources. I don’t want to flag a false positive — and I definitely don’t want to accidentally flag a phishing scam as legitimate. But if all three of these tools return negative results, there’s a good chance you’re dealing with something that’s at minimum suspicious — but at worst malicious.
How to mitigate phishing scams with Microsoft Exchange
One final note for our Microsoft users: Microsoft 365 offers step-by-step instructions that sysadmins can use to help minimize phishing scams in their environments. For example, you can set up a policy that flags emails from outside your network. End users see a box that says “External” on these emails — so even if the supposed sender is a trusted person, the email address itself is flagged as an external communication.
This is one of many steps you can take as a sysadmin to make your end users’ lives easier — which, of course, makes your life easier.
Staying one step ahead of attackers requires careful planning, common sense, and up-to-date software. We find all the patches and software updates so you don’t have to. Try PDQ Deploy & Inventory or PDQ Connect during a free trial to see how easy software updates and patch management can be.