Phishing

Phishing means that adversaries try to get a user’s credentials, such as log-in information, without the user’s consent. This can, for example, be done by sending an email and asking for log-in information, or by making a user click on a malicious site that claims to be the intended service – but in fact, the website would belong to the adversary.

Key steps to make phishing attacks harder for your adversaries

If you want to make it harder for your adversaries to succeed in a phishing attack you can configure your email program in the following way.

1. Disable remote images and elements: Adversaries can use remote images to detect if and when you opened an email. When your email program supports that, you should disable the display of remote elements such as images.
2. Disable display of HTML emails: Adversaries use HTML formatting to hide the true destination of URLs and the use of tracking pixels.  If your email program supports that, you can disable the display of HTML emails entirely or enable to prefer the display of unformatted text.
3. Enable to show full addresses: Some email programs only show the display name, such as “Reporters Without Borders”, instead of the email address by default.  When you enable the display of full email addresses, you are much more likely to detect when the display name does not match the email address.  But keep in mind that email addresses can be forged as well. 
4. Train to detect phishing (see here)

And finally, as a general rule: it is good practice to never click on links in emails, and instead type the address the link refers to by hand.  If you decide to break this rule, which is sometimes perfectly reasonable, you should avoid to enter personal information or a password on the website that the link refers to.  If you have to do that, you should look at the link really carefully before clicking it.  If in doubt, you can also try to contact the person or company that sent you this link and ask if it is safe!  It is best to contact the author by some other form of communication like phone or messenger, though.

Key questions to detect phishing

There are some questions journalists should ask themselves if they receive a message.

Are you waiting for that message?

You do not wait for a phishing mail. You should always be suspicious if a sender contacts you when you are not exactly expecting their message. 

Does the message use emotions to provoke action?

The adversary only succeeds if you do something: for example, if you enter your password on a fake website or transfer money to the wrong bank account. To achieve such an action, adversaries may manipulate your emotions to get you to act irrationally.

What could that be? A few examples:

• Fear: An adversary tries to make you believe that your account has been hacked and that you have to react immediately to reduce harm. You may then panic and not realise that it was a fake website that made you reset your password.
• Success: You wrote a great story and someone congratulated you for it. By making you click on a malicious link or open a malicious attachment, they promise to show you details of a new job offer.
• Friendship: You receive a message that claims to be from a close friend and refers to things you recently did together. In reality, the sender is an adversary who checked your public profile on social media and therefore knows who your friends are.

Is the display name referring to the address you know?

Especially with emails, an adversary can choose a display name that completely differs from the email address. For example, the display name “Reporters Without Borders” can easily be added to the email address adversary@email.com. Always check the email address for accuracy, and be aware that even the email address can be forged by adversaries.

Are there spelling mistakes?

Often, an adversary makes spelling mistakes. This can be in the message itself or in the addresses. For example, an adversary could use support@rnadrid.com instead of support@madrid.com. You don’t see the difference? The first address says ‘r n a d r i d’ instead of ‘m a d r i d’.

Is the link accurate?

Often, adversaries create links that seem to link to the real website but are in fact malicious. For example, https://google.com.adversary.com/help/journalists/password-stolen does not refer to google.com, but adversary.com. Adversaries sometimes also try to hide the true destination of links in HTML emails. To find out the true destination you can hover the mouse-cursor over the link, or right-click on the link, select “copy link address” and paste it in a text-editor. If you have to click on a link, you should look at it really carefully before clicking it. You should train for that in the phishing quizzes. 

Is there a real need to click on an attachment?

Adversary can hide malware in an attachment. Only opening a malicious attachment can be the end of the game. You should never click on an attachment if you are not 100 percent sure that it is legitimate.

Phishing Quizzes

The best way to detect phishing messages is to train that regularly. There are some quizzes out there that help you, e.g.

●      by Google

●      by OpenDNS

●      by SonicWall