How to catch a phish by Richard Hill, Stepien Lake
This blog post was also featured as a column in the April 2016 issue of Legal Practice Management magazine. To read the issue in full, download LPM magazine.
Following on from my article last month on cybercrime, I want to help you spot a deceitful phishing email sent by an attacker.
Sender The first question to ask yourself is whether you were expecting the email, or was it out of the blue? Of course, this is not to say that all emails from unknown senders are deceitful scams – but you should look carefully at the sender's name to see if it sounds legitimate or whether they are trying to emulate someone you know. The email sender’s name could well be someone you know at first glance – however, if you hover your mouse over the sender’s name (or right click) it will show the real email address.
Subject The subject line will be alarmist and trying to jolt the recipient into action. Urgent, immediate attention, critical action required – these are all phrases used in the subject line of a phishing attack. A common phishing email sent to law firms states immediate action is required before completion and attempts to cajole the recipient into clicking on a fictitious completion statement containing malware.
Body Some of the less sophisticated emails can originate from non-English-speaking countries, and so contain poor grammar and spelling mistakes. Phishing emails do now appear more credible and authentic but they can still have unusual language, incorrect statements and odd word choices. Asking for client funds to be ‘wired’ over has meant the recipient has picked up on some sham emails trying to trick firms to sending the money to an attacker's account.
The attachment and hyperlink The entire aim and focus of the email is to entice the recipient into clicking a link or attachment in the email to unleash the malicious code or ransomware, such as Cryptolocker. The emails can look convincing, and the link seem genuine, with familiar wording. However, simply hovering your mouse over the link will reveal the true link destination and where the link is directing you. This will indicate whether it is a trusted source.
Domain names Domain names are easily available to buy and are cheap. Attackers purchase domain names that closely resemble the authentic sender they are posing as. For example, the domain name lawsociety.uk.com was available for £69 for two years (on 123-reg.co.uk) at the time of writing this. If you are unsure, you can check domains by visiting either www.nominet.uk (for .uk domains) or whois.domaintools.com.
You can check which country the domain has been registered in and spot any newly registered domains, which are a big red flag.
Other basic tips for killing a phish include looking at the logo to see if it is poor quality, as the attacker may have copied and pasted from the original source. The signature block again could be low quality if logos appear, or use minimal information, missing industry standard disclaimers. An example of a recent fraudulent email stated ‘regulated by the Law Society’ rather than the SRA, and was also missing the word ‘authorised’.
As with most types of cyber attack, the best defence is awareness, in particular user awareness, as attackers now avoid firewalls and target people on the inside. So everyone from receptionist to senior solicitors needs to be educated of the threat phishing email attacks pose, and how one click can put your network and business in danger.