Phishing: What to Know and How to Avoid It

An Email is More than Just a Message. For cyber security professionals, emails are the front lines of the cold war with hackers. There are very real and serious risks potentially lurking in that "urgent" email you just received which claims to be from the IRS, FSU ITS, or some other trusted party.

The email could be from a hacker, and the hackers keep sending them out because they work. So, how are the hackers successful with these emails? It comes down to user psychology.

Hackers Rely on Conning Unsuspecting Users. It’s part of their toolkit. In the cyber security world we call cons "phishing." Hence, a duplicitous email sent by a hacker is known as a phishing email (in contrast, innocuous, but still annoying, unwanted email is called spam). Hackers leverage phishing emails to breach organizations.

Phishing Emails Have Been Used in Most Major Cyber Security Breaches: Most of you have likely heard several of the major data security breaches in the news in recent years. There are so many it’s difficult to pick a short list, but some of the more familiar names of successfully attacked institutions are Home Depot, Target, Anthem Healthcare, Lockheed Martin, RSA (EMC), and our own Federal Government. What the casual observer may not realize is that most major breaches involved the successful use of phishing emails to get inside the organization. All it takes is one ill-considered click. “Successful” in this context means that the email recipient was successfully duped into clicking on a link or downloading and opening a file attachment. By doing either of those actions in a phishing email, users have unwittingly allowed the hacker to run software on their computer which has instructions to steal information, raise privileges from a user level to an admin level, or a myriad of other tactics which ultimately facilitate the hacker being able to roam the network and break into internal systems.

This reality of this threat leads to our next question: Which users are successfully targeted with phishing emails?

Users Who are Ignorant of Potential Threats in Emails are at Risk for Being Successfully Phished. Hackers rely on user ignorance and blind trust. The ironic fact is that in other situations, where the threats are more apparent, we consider it common sense to be cautious. If a stranger knocked on the door of your home and said it was urgent and they had to get inside, you would likely not let them in. But, what if they also claimed to be a gov’t employee with a notice, a UPS or FedEx deliveryman with a package you weren’t expecting, or a company rep. claiming to have a prize for you? Would you still let them into your home without doing any verification, no questions asked?

Most people would do some basic verification in the latter situation. If there were any “red flags”, such as the uniforms not looking appropriate or any conflicting information, one would typically ask additional questions, or perhaps call the main number of that organization for confirmation.  If things didn’t feel “comfortable”, many would simply decline and close the door. Why? Because the risk of being too trusting in this situation is understood by everyone.

Reading an email is an analogous situation in the cyber world to opening the door to your home. If the hacker gets the user to click the link or download the file attachment, they have won the battle (but, hopefully not the war).

This leads to our final question: What are the “safe” user behaviors in reading emails, and how does one create them?

A Responsible Employee ALWAYS Evaluates an Email’s Legitimacy Before Clicking.  Like any good behavior, people need to create good habits by repeating them consistently over time. Fortunately, there are simple prophylactic actions users can take when reading an email to lower the risk of being successfully “phished”. Follow These Simple Rules When Reading an Email:

Look for Red Flags: First, determine if there are any “red flags” to you make you suspicious about the email (any one or more of these are cause for concern):

  1.        The email creates a sense of urgency. The email claims that if you don’t take immediate action, you will lose access or privileges, such as access to your emails.
  2.        The email does not show the name of an actual person associated with the organization. The body of the email is not signed by an actual person. It’s either anonymous or uses a fictitious name.
  3.        The email is an official notice but has grammatical or spelling errors or odd or non-standard phrasing. Yes, any email can have such mistakes, but they are common in phishing emails.
  4.        You found the email in your Junk folder. Yes, Outlook and other email programs can sometimes mistakenly route a legitimate email to the Junk folder. However, statistically an email in your Junk folder is more likely to be suspect, so proceed with extra caution.
  5.        The email promises a free gift or prize if you respond. Again, by itself no necessarily an indication of phishing, but this is still a tactic used often in phishing emails.

None of the red flags by themselves or in aggregate guarantee we are dealing with a phishing email, but one or more of these flags should lead you to perform verification steps before proceeding to clicking on anything.

Perform Initial verification: Second, if there are red flags, then verify the sender address, links, and file attachments look legitimate.

  1.        Examine the domain in the sender’s email address. The “domain” is the part of the email that follows the “@” sign in the address. Framingham State University’s domain is Framingham.edu, so all emails sent from FSU accounts should end in “Framingham.Edu”. If the domain name looks odd, unfamiliar, or in any way unexpected, do not click a link or download an attachment in it.
  2.        Examine the web link in the email (e.g. URL) BEFORE clicking. If the URL is an unfamiliar address or a different address than indicated in the URL description do NOT click on it. Determine the actual address by hovering your cursor over the address. Is it what you expect? Is it in an odd domain or country code that seems inappropriate? Be aware that the text shown in the email can be made to look like an address (HTTP://), but the actual address is only revealed when you hover your cursor over it (on Windows).
  3.        Examine the file attachment filename. This is a challenging test: Even PDF files and Excel spreadsheets have had viruses embedded in them, so it is difficult to tell if a file is legitimate. However, a user can at the very least look to see that the file type icon matches the file extension (a mismatch is a concern), such as a text file that isn’t readable or an executable file that ends in .PDF. Also, files with odd names (random numbers and characters) should be treated suspiciously.

Take Final Steps:

At this point, you should have a sense of whether the email is still suspicious. If it is suspicious:

  1.        Do NOT click links or download file attachments found in suspicious emails.
  2.        Forward the suspect email to ITS for examination. If you are unsure about an email’s legitimacy, forward it to the ITS Service Desk (ITS@Framingham.edu).
  3.        Delete confirmed phishing emails from your Inbox, and then a second time from your Deleted Items folder (on Windows). There have been cases where users have recovered phishing emails from their Trash folder and opened them.

If you have any questions about phishing emails or other cyber security concerns, please contact FSU’s Information Security Officer, Bryce Cunningham, at bcunningham2@framingham.edu, or at ext. 4046.