Combating Phishing Attacks⚓︎
When Opening Any Email
- Images in an email are hidden by default; this is intentional. Don't enable them until you have verified the sender. Doing so allows attackers to track you, and mark you as a real, potential victim.
- If you see warning signs, trust them. Pay attention to any banners that might display above the email; your email provider may indicate to you that it is malicious. Example:
Danger
Never blindly divulge any sensitive information - including passwords, 2FA codes, or other personal information, to a party, as a response to an email, SMS, or phone call. Verify authenticity first, always.
If you must transmit such information, you should compose a new message directly to the trusted contact, instead of replying.
Learn how to securely contact Bitstream.
Phishing is a highly common cybersecurity threat, designed to trick a user into revealing sensitive or personal information under the false pretense that they are interfacing with a legitimate business or trusted individual.
These attacks typically are delivered in the form of an email, SMS message, unsolicited call, or other communication channel. The attacker will claim to be a representative of a legitimate enterprise, or even a user themself, that you may interact with regularly. This is known as "spoofing".
Proactive security handled by IT can only encompass so much of the field; a fully secure system ends at the user. Phishing attacks rely heavily on what is called "Social Engineering", in which information about yourself is ascertained by or unintentionally directly handed to the attacker. Because every user is vulnerable to such an attack, it is imperative that you learn how to spot and handle a phishing scenario.
Interactive Quiz⚓︎
We strongly encourage every user complete the following quiz. This is an easy and interactive way to learn how to detect phishing schemes. It takes no more than two minutes of your time. The information you provide to it can be real or false.
Anatomy of a Phishing Attack⚓︎
Phishing attacks are designed to appear as legitimate as possible - sometimes to a degree such that even well-trained eyes may still have trouble determining its authenticity. Phishing attacks come in a variety of forms, and may not contain all of the attributes in the example below. Use this as a general idea of what you might expect.
What You Might Expect to See:⚓︎
1. A Sender Name and Subject Line that appear legitimate, and invoke a need to open and/or interact with it.
It's easy to mistakenly trust an illegitimate email, when a Sender's Name is of someone or something you have a relationship with, and which has a Subject Line that catches your attention.
2. The addressing of you or someone you know by name.
You might certainly expect a legitimate message to display your real name - but you may be surprised to learn that, by various means, attackers also know and use this information.
3. Logos and/or an overall design which appear official.
On the surface and at a glance, this email looks fairly official - because it has all of the features and design of a legitimate PayPal email.
4. The threat of an action having been taken, without your knowledge.
Attackers succeed when they can trick the victim into believing an action was taken without them having done so. In this case, you may be lead to believe you have paid someone when you did not - leading you to possibly suspect suspicious activity is occurring.
5. An obvious and well placed "Call-to-Action".
Extending (4) - because you believe suspicious activity is occurring, you are naturally inclined to click on the button or link - expecting it to lead you to a page which explains the transaction in more detail.
Never click on a link without knowing where it leads (explained further below). Clicking an illegitimate link lets the attacker know that you are a real and active victim.
6. Specific details about the action taken.
Not only does providing false (but seemingly true) details help legitimize the attack, but the use of the name of someone you do not recognize further inspires the victim to respond.
7. Common footers and other elements which appear legitimate
These elements are worded and display exactly the same as you would expect a legitimate email to. Inclusion of embedded malicious links ("Learn More", etc.) also assist in the attack.
Ironically, this example includes a section dedicated to identifying phishing attempts. If this were an illegitimate email, would you expect to see this?
Determining the Authenticity of an Email⚓︎
You can determine the authenticity of an email by checking a few key things, and practicing good judgement.
1. Details are your friend.
Gmail: Click the dropdown icon () to view extended details about the email and sender.
Outlook: Click on the name of the sender to view extended details about the sender.
2. Always verify the email address.
Do not blindly trust that PayPal, or your friend John, is actually the sender. Names can be and are commonly spoofed. Always verify that the email address of the sender matches the one which you trust and expect.
You should not trust this email because the sender - paypal@notificationcenter.co - is not a domain (@notificationcenter.co) you know to be associated with PayPal.
3. Links: hover before you click.
All web browsers will display the complete URL of a link in the bottom-left corner of your screen. Simply hover over (without clicking) the link.
In this example, you would hover over the "Call-to-Action" link to display the true destination - which would apparently take you to https://notificationcenter.co/... instead of a URL that you might expect, like https://paypal.com/... .
Clicking phishing links not only enables an attacker to direct you to a malicious site - the site itself might even mimic the official PayPal website - leading you to enter your credentials, or divulge personal information - thereby completely falling victim to a phishing attack. Even if you clicked the link but immediately backed out - the attacker has tracked that click, and now knows that you are a real and potential victim (expect more phishing attempts to come). Always verify the URL before clicking a link.
Unsure about a message?
If you are ever in doubt about the legitimacy of a message, do not hesitate to forward it to us for review, before acting.
Responding to an Attack⚓︎
(turn of phrase; do not actually respond to the message.)
When a message is deemed illegitimate, perform these two simple steps:
1. Mark the email as phishing or spam
Gmail: Click the Report Spam icon.
Outlook: Click Report > Report phishing.
2. Stay vigilant and informed
Security threats are ever-evolving, and even the best of us can fall victim to a well-executed attack. It's important to recognize signs of an attack, be informed of the latest threats, and reach out for help if you are uncertain.