Cyber attackers may have increasingly sophisticated tools and techniques at their disposal, but the truth is phishing or spoofing emails remain their bread and butter for getting onto a victim's machine. Despite employer efforts to improve security awareness, hackers continue to see success — a phishing campaign of just 10 emails yields a 90% chance of snagging at least one victim.
With those kinds of odds it's no surprise phishing attacks appear to be on the rise. According to Wombat Security's "2016 State of the Phish" report, 85% of businesses reported being the victim of a phishing attack in 2015, up 13% from 2014. Nearly two-thirds of businesses said the rate of phishing attacks they're seeing has increased, overall.
What Can You Do to Avoid Getting Phished?
There are several anti-phishing and security awareness providers you can consider (such as Wombat and KnowBe4), but an immediate step you can take is to inform your employees how to watch out for one of the most critical tell-tale signs of a phishing email — a mismatched or fake URL.
Look Before You Leap: How to Spot a Fake URL
Clicking on email links and attachments without scrutinizing them first is one of the worst online security habits that makes users vulnerable to attacks. By teaching employees this simple way of examining a link before they click you can reduce your chances of getting hacked significantly. The best part is once you know what you're looking for, it only takes a second.
Step 1: Hover over any link to see where it wants to send you
Thanks to hyperlinking we're able to substitute actual links and URLs with descriptive text (click here is the most common example). That can be useful for a variety of legitimate reasons, but it unfortunately also gives attackers an opportunity to trick you into clicking something you shouldn't.
The good news is that you can view the target URL (the address where the link will actually send you) simply by hovering over the link with your mouse.
Here's a straightforward example I whipped up:
And here's a slightly trickier one using a fake URL in the actual message:
Step 2: Make sure the URL domain is correct
In either of those cases, I obviously don't want to go to "bogus.org/totally-trying-to-scam-you/" so there's no way I'm clicking that link.
Of course, that's a very blunt and unrealistic example. In the real world, attackers can be far more subtle.
Let's say, for example, you're a dog owner who expects to receive emails from http://dogbiscuit.com/ and you receive what appears to be an offer for treats. Rather than automatically clicking the link in the email, you should take a second to make sure the domain in the target URL matches exactly with http://dogbiscuit.com.
Watch out for misspellings and small alterations such as:
And pay special attention to the text that comes before the first slash (not including "http://"). In this example, it should always include "dogbiscuit.com". Anything resembling the following examples should be considered a red flag:
(this directs to catsruledogsdrool.com, not dogbiscuit.com)
(the domain here is actually "keepoffthegrass365.com" because it is immediately before the first slash)
(while sites do commonly have things like "support" or "blog" listed before their domain, they are only valid if they are separated by a DOT — ex: support.dogbiscuit.com — not a hyphen or anything else)
Moving Beyond the Basics
There are other ways to spot a phishing email (see 10 tell-tale signs to look out for here), but getting into the habit of double-checking target URLs is a great first step.
For more tips, here are a few places where you can find additional phishing training resources (go ahead and hover over those links before you click):
- Phishing Quiz: Can You Spot a Scam When You See One? (Intel)
- KnowBe4 Security Awareness Training Blog
- Wombat Security Blog
One More Thing...
Don't miss out on more practical tips and approaches to security's biggest challenges. Sign up to get new Barkly blog posts delivered to your inbox.
Photo by: Chris Greer