It’s a beautiful day, and you are enjoying it when you get an email. It appears to be from your bank, and states that you need to verify your information because the bank has detected fraudulent activity related to your account. Feeling panicked? No doubt. But oh look how nice your bank is for placing a convenient “Login to Verify” button in the email so you don’t have to open a new tab and type in your bank website.
STOP! DO NOT CLICK IT! If you do, you will likely become a victim of a phishing email.
What are phishing emails?
Phishing emails are fraudulent emails that appear to come from legitimate senders, for instance, from your school, your company, your bank, etc. The main purpose of these messages is to steal your credentials such as username and password, or other private information like your bank account number. Phishing emails can be implemented in different ways, but in general, they have the following similarities:
The tone of the messages is either urgent or extremely appealing. The criminals always want their victims to click the embedded URLs right away, so they try to display a threat that requires immediate action. Alternatively, these emails offer “too-good-to-be-true” or “limited time” coupons, inducing curiosity and desire.
There are many links or attachments embedded in the emails. Even the images can have embedded links.
Many phishing emails contain spelling errors.
To fool you into thinking they are someone they are not, the criminal’s email address has only one or two characters different from the sender’s email address that they are pretending to be (Although this is not always the case, see below the recent Google Docs attack).
Phishing is becoming more sophisticated and more convincing
SSL certificates cannot guarantee your safety
In 2014, Dropbox users received invitation to open a shared document on Dropbox through a link pasted in the email. The URL redirected the user to a fake Dropbox login hosted on Dropbox. This showed the page as served over SSL, allowing the address bar to display a green padlock icon.
In 2017, Google Docs fell victim to phishing attacks. Criminals sent emails to user inboxes from a well known and trusted email address. Recipients could click the button “Open in Google Docs,” taking them to a legitimate Google sign-in page. However, if they proceeded, they unknowingly granted the phishers permission to access their contact lists and emails.
Sender’s email address can be spoofed
Last year, in the Information Security class, my group did our research on phishing emails with PHP. In the project demonstration, we faked the sender’s email address simply by editing the “From:” header and sent it via PHP. Our fake email got through Outlook 365 even though it only displayed sender’s email address instead of automatically showing the sender’s full name as in the real emails. The only way to verify the origin of the email is tracing the hops’ IPs that the email has gone through in the “Received:” header. However, this is not something people regularly do or even know how to do.
How to prevent phishing attacks
Do not click on links in email. Instead, directly access the real website by typing in the address bar.
Do not provide any private information over email. Contact the sender directly to verify your situation.
Carefully check the sender’s name and email address. Check if there are any spelling errors in the email.
Use 2-Step Verification. Carefully check the URL in the address bar. Any website that deals with password should serve over SSL “https://”. However, do not blindly trust the green padlock. Go to “View source” to check if the site you are visiting is using that is loading from another site. (This was a method we used to create a fake site in our project. Everything was loaded from the real site, except the login box controlled by us.)