Email phishing is not a new phenomenon. For a number of years, hackers have used emails to trick us, whether it be as private individuals or employees of a company – and it is by no means always easy to spot the deception.
This article will take a closer look at email phishing attempts, which are becoming more and more sophisticated and harder to spot.
We’ll also be taking a look at the best way for you to protect yourself and your employees, customers and users from email phishing scams. Fortunately, it’s not that difficult if you take certain precautions.
The most transparent attempts at email phishing
We have all seen the spam emails sent from unknown addresses and containing one or more suspicious links.
This is where you need to take a moment to think before you click on anything. Don’t let your curiosity get the better of you.
And no matter what, don’t click on the link if you don’t know who has sent the email. This is a general rule of thumb – even if the subject of the email might be trying to lure you in with something you have an interest in.
If you do happen to click on the link anyway, in the most harmless cases it will just take you to a page trying to sell you something. In the more serious cases, however, you’ll open an .exe file and start downloading what might be a virus.
Fortunately, you’ll always be asked to confirm your download before it starts and thus before any potential virus files can be opened and start infecting your system.
Therefore: don’t accept any downloads from pages you don’t trust completely. That’s another rule to keep in mind.
The slightly more sophisticated phishing attempts
Here’s an example of one of the more sophisticated phishing emails that hackers might send. The email has been sent to an employee of TRUSTZONE from what appears to be the company’s CEO. The CEO is asking Erik, the employee, to pay an urgent invoice.
If you want to have a chance of identifying this email for a scam, you need to really be paying attention. As you can see when you look more closely, the only clue that this is not from your CEO is the fact that there is an extra ‘s’ on the sender’s domain name. Everyone with a valid TRUSTZONE email will have their emails sent from addresses such as email@example.com or .dk – and thus not from trustszone.com, which has an ‘s’ added into the middle of the domain name.
The quite sophisticated attempt
You certainly don’t need to be a genius to make an even more sophisticated phishing attempt – a so-called spear phishing attack – where you won’t be able to spot anything wrong by merely looking at the sender’s address.
That is to say, it doesn’t need to take more than 5 minutes to set up an email to be sent from addresses imposing as CEOs of major corporations like cokoh.dong-Jin@samsung.com, firstname.lastname@example.org or email@example.com, where the domain name matches 100% with what you would expect from the presumed sender. You’ll just need to check beforehand that the domains you’re using haven’t enabled DMARC.
In these cases, you’ll only suspect something is wrong if you investigate the sender address more closely. You can do so by hitting the ‘Reply’ button and checking the return address very thoroughly.
You could also call Western Union and ask if they really did send you an email about updating your credit card information. There are several things you can do to verify an email, but you need to be aware of them and have the time to carry out those tasks.
Check out how easy it is to manipulate a sender address on emails in the video attached to this article.
A digital email signature (S/MIME) means the receiver can be sure about who the sender is
However, there are ways in which you can send an email and let the recipients be extremely confident that you are in fact the one who sent it.
If the sender uses a digital email signature (a so-called S/MIME certificate) then the receiver can be enormously confident that the sender is who they say they are.
A digital email signature is particularly useful for banks, insurance companies, companies that provide subscription-based services and companies that in some other way process personal data and want their emails to be free of suspicion.
First of all, it’s nearly impossible to cheat your way to a digital signature. It’s simply not possible to be issued a signature that allows you to pass yourself off as someone you’re not.
Companies such as TRUSTZONE issue these S/MIME certificates, and in the process of doing so, we thoroughly verify your identity and that you have access to the email account in question.
In order to trick us into issuing a false S/MIME Certificate, you would somehow have to really outsmart us. Now, we have built a business on making that as hard as humanly possible.
Secondly, you won’t be able to edit the certificate once it’s been issued. For example, you can’t forward an email that’s been sent with a digital signature – at least, not without you losing the original digital signature while doing so.
You can’t edit or manipulate the things that the certificate verifies either.
Some S/MIME certificates verify you as an individual and as the owner of a certain email address. Others link you to a specific department or company and list you as the owner of the specified email address.
Even the simplest certificates that merely verify that you are in fact the owner of the email address (and thus do not as such verify your identity or your association with a certain company or department) help those receiving your email to identify you as a legitimate sender.
This is because even such a basic certificate would never be issued to addresses such as firstname.lastname@example.org, email@example.com or any other address that’s trying to trick you via a well-known domain name as the spear phishing attacks described earlier do.
It wouldn’t be possible, since the scammers are only pretending to have access to email addresses such as @ebay.com or @samsung.com, but don’t actually have it. They need to have that access in order to be verified as the owner of each specific email address.
Even for the most basic S/MIME certificates, we go through the process of sending a TRUSTZONE email to the address. The individual applying for a certificate needs to respond to this email. They can’t do that if there is no such address or if it belongs to another person or a domain which the receiver doesn’t have access to.
Thus, when it comes down to it, it really isn’t that hard for you as a sender of emails to let the recipients feel confident that you are who you say you are. Likewise, it’s not that hard for you as a recipient of an email to see who is sending it as long as the sender uses a digital email signature.