Email phishing scams have grown more sophisticated since they first began popping up in corporate inboxes in the 1990s. Early phishing emails were relatively easy to detect as they were characterized by poor grammar and spelling. No legitimate business would send an email to customers chockfull of typos.
As email users grew wary of phishing attempts, cybercriminalshave hadto change their tactics and their lures. Today, phishers are churningout much more convincing and effective emails. Not only are the mostpersuasive specimens well-written, they are also often personalized,addressing the recipient by name. In addition, they replicate the lookand feel of authentic emails from legitimate businesses down to thefonts, footers, logos and copyright statements those companies use inelectronic correspondence with their customers.
Why criminals keep phishing
The result of these refinements has been an explosion in phishingattempts. In 2011, approximately one out of every 300 emailscirculating the web was deemed to contain elements indicative ofphishing, according to “The Year in Phishing,” a report from RSA. Thecumulative number of phishing attacks recorded that year was 279,580, a37 percent increase over 2010, by RSA’s count.
RSA says that phishing attacks are on the rise despite heightened userawareness in part because they’ve become so easy for cybercriminals toexecute. Malware writers have created automated toolkits thatfraudsters use to easily create and host phishing pages. On average,every phishing attack nets a $4,500 profit in stolen funds for theperpetrator, according to RSA.
Because phishing attacks are easier for cybercriminals to produce andmore convincing than ever, RSA predicts even more of them in 2012. Tohelp you and your end-users determine whether those suspicious emailsin your inboxes are legitimate or phishing scams, CIO.com asked DanielPeck, a research scientist with Barracuda Networks, a provider of emailand web security products, to analyze a particularly convincingspecimen allegedly from American Express. We include below a copy ofthe email in question, along with Peck’s tips for discerning thevalidity of suspicious emails.
This “Fraud Protection Alert” allegedlyfrom American Express is infact a phishing scam.
The above email is an alleged “Fraud Protection Alert” from AmericanExpress. It informs the recipient and would-be cardholder of potentialfraudulent charges on their credit card.
This email is, in fact, a phishing scam, but it’s convincing for avariety of reasons. For one, it sounds authoritative. Second, thefooter–with its putative links to American Express Customer Serviceand the company’s privacy statement–makes it look authentic. Themessage at the end of the footer that reads, “Your Cardmemberinformation is included in the upper-right corner to help you recognizethis as a customer service e-mail from American Express. To learn moreabout e-mail security or report a suspicious e-mail, please visit us atamericanexpress.com/phishing,” makes it look even more authentic and isdesigned to further confuse the recipient.
Finally, because the message assumes the recipient did not recently charge a Hilton Hotel reservation, it attempts to win the recipient’s trust, as if to say, “We’re looking out for you.”
5 ways to catch a phish
With all of these convincing elements designed to spoof legitimateemails and confuse recipients, how can email users be sure messageslike this one are fake? Here are five tips.
1. Hover.Whatever you do, don’t click on any of the links in theemail, says Peck. You can and should, however, point your mouse at themand hover over them.
When we hover over the “Secure Online Chat” and”www.americanexpress.com/case” links, we see that those links don’tdirect to the americanexpress.com domain. One directs to a website inItaly, as marked by the .it domain. The other points to a .us domain.Links that don’t go to the legitimate domain of the business aretelltale signs of phishing emails.
2. Copy and paste.If you can’t see the URL where the links direct whenyou hover over them, Peck suggests copying and pasting the link into aMicrosoft Word document. Right click on the pasted link and select”Edit Hyperlink” from the menu that appears. Selecting “Edit Hyperlink”will open a pop-up window in Word that shows in the “Address” field theweb address to which the link directs.
3. Investigate theemail’s properties. Outlook users who have openedthe suspicious email can go to the “File” tab and select “Properties.”In the “Properties” pop-up window that appears, Peck says to look atthe box at the bottom of the window labeled “Internet headers.” Thisbox shows the path the email took to reach the end-user, he says. “Lookat the originating systems. If they’re not from American Express,Constant Contact or other trustedemail blast systems, those aretipoffs that it’s a phishing email,” he adds.
4. Act on informationthat you know for sure is trustworthy. If yourbank or credit card company is sending you an email regarding a fraudalert, you ought to see that same fraud alert on your bank or creditcard company’s legitimate website, says Peck. If you’re at alluncertain, Peck recommends calling the phone number on the back of yourcredit card. “Always work oninformation that you have a lot morereason to trust,” he adds.
5. When in doubt, throwit out. The best defense against phishingscams, Peck says, is to assume the email is untrustworthy and to pursuedirect channels to businesses that you trust, such as your bank’s 1-800number.
For more tips on how to avoid phishing scams, check out theAnti-Phishing Working Group’s website.
Meridith Levinson coversCareers, Security and Cloud Computing for CIO.com. Follow Meridith onTwitter @meridith. Follow everything from CIO.com on Twitter @CIOonlineand on Facebook. Email Meridith at [email protected]