One beautiful day, you receive an email that “looks like” it’s being sent from your bank and informs you that you need to verify your information now because the bank has detected a fraudulent activity related to your account. Feeling panicked? No doubt. But oh look how nice your bank is for placing a convenient “Login to Verify” button in the email so you don’t have to open a new tab and type in your bank website. STOP! DO NOT CLICK! There is a high chance that you will become a victim of phishing emails.
What are phishing emails?
Phishing emails are fraudulent emails that appear to come from legitimate senders, for instance, from your school, your company, your bank, etc. The main purpose of these messages is to steal your credentials such as username and password, or other private information like your bank account number. Phishing emails can be implemented in different ways, but in general, they have the following similarities:
The tone of the messages is either urgent or extremely appealing. The criminals always want their victims to click the embedded URLs right away, so they try to display a threat that requires immediate action. The same logic can be applied to emails offering “too-good-to-be-true” coupons that induce people’s curiosity and desire.
There are many links or attachments embedded in the emails. Even the images can have embedded links.
Many phishing emails contain spelling errors.
To fool you into thinking they are someone they are not, the criminal’s email address has only one or two characters different from the sender’s email address that they are pretending to be (Although this is not always the case, see below the recent Google Docs attack).
Phishing becomes more sophisticated and more convincing
SSL certificates cannot guarantee your safety
In 2014, Dropbox users received invitation to open a shared document on Dropbox through a link pasted in the email. The URL then redirected the user to a fake Dropbox login which was hosted on Dropbox itself. Thus, the page appeared to be served over SSL and had a green padlock icon in the address bar.
In May 2017, Google Docs got hit by phishing attacks. What happened was the criminals sent out emails that appeared in your inbox from a trusted, well known email address. Once the recipients clicked the button “Open in Google Docs,” they would be taken to a legitimate Google sign-in page. However, if they proceeded, they unknowingly granted the phishers permission to access their contact lists and emails.
Sender’s email address can be spoofed
Last year, in the Information Security class, my group did our research on phishing emails with PHP. In the project demonstration, we faked the sender’s email address simply by editing the “From:” header and sent it via PHP. Our fake email got through Outlook 365 even though it only displayed sender’s email address instead of automatically showing the sender’s full name as in the real emails. The only way to verify the origin of the email is tracing the hops’ IPs that the email has gone through in the “Received:” header. However, this is not something people regularly do or even know how to do.
How to prevent phishing attacks
Do not click on links in email. Instead, directly access the real website by typing in the address bar.
Do not provide any private information over email. Contact the sender directly to verify your situation.
Carefully check the sender’s name and email address. Check if there are any spelling errors in the email.
Use 2-Step Verification. Carefully check the URL in the address bar. Any website that deals with password should serve over SSL “https://”. However, do not blindly trust the green padlock. Go to “View source” to check if the site you are visiting is using that is loading from another site. (This was a method we used to create a fake site in our project. Everything was loaded from the real site, except the login box controlled by us.)