From: [email protected]
To: Femi Reis
Dear User,
You just requested a password change at PayPal.com. Please use the link below to reset your password. If this wasn’t you, please click here to report this activity and update your password immediately to avoid any possible compromise.
Thank you for using PayPal.
Such emails drop in my box often; I am sure they aren’t strange to you either. I thought we should start from where all awareness trainings start and most awareness trainings end—Phishing.
There’s a concept in warfare called Information Warfare, it’s a type of Military Deception (MILDEC) where the target is disinformed to make decisions that are to his own detriment. History is filled with battles in which victory and defeat were exclusively determined by MILDEC. It is what attackers in cyberwarfare seek to achieve with phishing (pronounced fishing). Phishing emails contain information that generally appear to be in your best interest, but with the goal of getting you to make a decision and take an action to your own detriment. In cyberwarfare, a staggering three billion phishing emails are fired daily, some of these are random shots while some are fired with pinpoint precision to very specific targets (this is called spear phishing). Picture you receive an email from “PayPal” notifying you that you just successfully logged in to your account from EL Paso. El Paso?! No way! You are in faraway Nairobi and haven’t even made any attempt to login to your PayPal account. This sure is an indicator of compromise, you think to yourself. At this point your palms are sweaty, there’s $5,087.42 in your PayPal wallet; you must stop this activity before a cent of it disappears! Thankfully, PayPal has provided a link in the mail for you to immediately arrest the situation; you can change your password promptly to lock the intruder out, and then report the case to enable them investigate further. So you click on the link and it brings you to a password reset page, you enter your old password and your new password and successfully perform the reset. “Phew! That was close,” you whisper under your breath, but on the other side of the globe, in a little room with five men on their laptops, one of them jumps up, throws his fist in the air and shouts, “Yes! That was spot on!” The other four keep phishing without breaking focus. A few minutes later you receive a transaction invoice from PayPal for $5,000; your wallet balance is now $87.42. You’ve just been drowned by a phisherman! Like in the battles fought in Arab deserts and African jungles, MILDEC has once again delivered in cyberspace.
Phishing is a common attack method in cyberwarfare. Here the attacker sends an email with the aim of getting you to take an action that will appear to be in your best interest, but will actually be tantamount to unplugging the pin of a grenade right in your own house. The question then is, how can you tell when this is happening to you? Let’s go back to the email we started with.
From: [email protected]
To: Femi Reis
Dear User,
You just requested a password change at PayPal.com. Please use the link below to reset your password. If this wasn’t you, please click here to report to activity and update your password immediately to avoid any possible compromise.
Thank you for using PayPal.
The first thing you should check here is the sender’s email address. In this case it is from [email protected][1]. The root domain is the actual sender. Let me explain. The root domain is the last word, or group of words, that comes just before “.com”. So in this case the root domain is a compound word (two words joined together with a dash to form one word), which is security-paypal. That is the actual sender. This email is not from PayPal; it is from security-paypal (security dash paypal)—whoever that is. Many times this dash is introduced to trick you into believing it is a subdomain of PayPal. Again let me explain what a subdomain is. If we had [email protected], the root domain here is paypal, which is the singular word that comes just before “.com”. The subdomain is security, which is always separated from the root domain with a dot, not a dash. Subdomains are not separated with dashes, they are separated with dots; if you have a dash, it is still one word and it forms the root domain. So if you have [email protected], it is not coming from you.com, it is coming from me-you.com; if you have [email protected], this is coming from you.com; the last singular or compound word before the “.com” is the actual sender.
Now attackers, however, sometimes find a way to manipulate this and actually spoof a proper email address, spelt with the actual root domain to launch the attack, so another thing you should look out for is the greeting. Are you greeted by name? If this mail is coming from a company with which you have a valid account, you shouldn’t be addressed as “Dear user”; you should be addressed by name. But then again, that’s not an automatic green light that confirms everything is fine; phishing could be targeted with precision such that it bears the name of the intended recipient, as was the case with Podesta. You could be greeted by name and still be dealing with a phisherman, so there must be other things to look out for. How about the grammar and spellings? Most phishermen are given to silly typos and errors in grammar, so looking out for this could be a good indicator; an email from PayPal shouldn’t be muddled with typos. But yet again, this phisherman could be an Ivy League graduate and have his mail well worded and his hook well baited; it thus means there must be other things to look out for beyond the wording, and here’s a final one. Every phishing email wants you to take an action—either click on something or reply with something. If there are links or buttons in the mail on which you are advised to click, those links will not be pointing to paypal.com; they will be pointing to the attacker’s den. The Reset Password button wouldn’t point to paypal.com, it would point to death, and here’s how you will know. Without clicking on the link or button, simply hover your mouse over it, if you’re working on a computer, and the link will be revealed at the bottom left corner of your screen; you will see that it doesn’t point to paypal.com but to a different domain. If you’re working on a mobile device, press and hold the button or link (DO NOT CLICK ON IT) and select the option that says “Copy link address” (or however it is worded on your device), you can then go open a writing environment such as a blank compose environment and paste the copied address there, you would see where the link points to. There are, however, cases were links are rewritten in emails such that they don’t show the actual domain spelt out plainly when hovered on. If you are in doubt whether this is the case, you can copy the link and scan it using any online URL scanner. Simply run a search for “online URL scanner” to find one.
Now, if you look out for all the indicators we have walked through and none of them exists—in other words the sender email appears legitimate and there is absolutely nothing in the mail that suggests it isn’t coming from PayPal—still DO NOT CLICK THE LINK. Whatever secure action the mail recommends you take, go to your browser or app, login to your account and take the action from there—in this case resetting your supposedly compromised password. As long as it wasn’t initiated by you, never take an action from a mail even if you are convinced it is from a legitimate source; close the mail, go to your account and perform the action from there.
If the email is requesting that you reply with information or execute an action or financial transaction which is in your line of duty, adopt what I call an MFC policy—Multifactor Confirmation. Never supply information or carry out any sensitive action or transaction based on an email without reaching the sender through a second means—especially via phone call—to confirm the mail. If it’s not from a known sender, do your due diligence; be sure not to send any sensitive information in response to a mail from out of the blues that you know nothing about. You can never be too suspicious at the peak of warfare. There are about 4.6 billion active internet users worldwide; with 3 billion phishing emails fired each day (21 billion each week), the odds are high that some of those bullets will come your way. To treat every unsolicited mail with suspicion is thus a wise approach in warfare.
Note, however, that all the actions we have seen here are simply meant to keep you from drowning, but that’s not our ultimate goal; you shouldn’t be content with sailing away to safety when you can as well drown the phisherman before you leave. So how do you do that?
Marching Orders
- Treat every email you’re not expecting as suspect.
- Except where it is impossible not to, do not click on anything inside, or attached to, an email, especially when you are not 101% sure of its source.
- Report every phishing email through the appropriate channels. (You can forward the email to Anti-Phishing Work Group at [email protected], or, if it’s a PayPal phishing email, to [email protected]. You could also run an online search on reporting phishing for your specific email client, such as “Report phishing on Gmail” or “Report phishing on Yahoo”, or whatever reporting framework your organization or institution might have in place. The goal is to get the phishing email to various points of action.)
- After you’ve done the necessary reporting, select the email in your box and mark it as spam (don’t delete it, mark it as spam).
- If the mail is requesting that you reply with sensitive information, reach out to the sender by other means, if it is someone you know, to clarify the request. If it is not someone you know or have alternative means of reaching out to, reply with probing questions that will further reveal the sender’s intentions and identity without raising his suspicion of your intent to drown him in the process. Sustain the conversation long enough to turn the tables, and be sure to blind copy the relevant authorities on all such mails.
- Finally, sound the battle cry to those around you—“Every link in an email could be a grenade pin; think before you pull.”
[1] As at the time of this writing www.security-paypal.com is not a registered domain name.