The University of Texas at Dallas
close menu

Information Security

Identifying Phishing (and spooky stories)

Andy Cummings & Renee Stone

October 29, 2020

Halloween whoosh with temoc

While Halloween is scary, cyberattacks can be even more frightening. Ransomware locks your computer and demands a payment to unlock it. Your best defense against this is to keep your operating system updated with current patches AND backup all of your data because there are no guarantees you’ll get your data back even if you do pay a ransom. Phishing is similar to Trick-or-Treating, but there’s no Treat – just a Trick by using emails to fool you into clicking a link or downloading an attachment.

Black Cat

Black Cats have long been associated with Halloween. In cybersecurity, Black Hats are criminals who break into machines and steal data like passwords, email, credit information, or bank accounts. Cybersecurity is a personal and professional responsibility for all of us. Think before you click, do your part to be cybersmart.

Phishing – bo-rrrring (yawn), right? I know.

Still, however boring the subject might seem, it’s a fact that phishing is the simplest way to break into a castle – er, organization’s network – and it takes only one person’s lack of attention for the kingdom to be lost. From hackers to scammers to nation-states – they love using phishing emails to steal your secrets, your identity, your money, etc. because it’s literally the easiest way to “pwn” you and your candy. They are counting on you not paying attention. The 2019 “Verizon Data Breach Investigations Report” found that more than 90 percent of malware is distributed via email – no surprise at all.

For example, just last week the ransomware gang behind Ryuk sent a phishing email to a victim – and achieved complete domination of the world for Sauron in 5 hours. I mean… they encrypted everything of value across that victim’s network in 5 hours and held it for ransom. Either way, that one user opened the door for them – pretty much like someone inviting a vampire into the home – and the entire organization was toast.

Back in 2016, John Podesta (Hillary Clinton’s campaign chair) received an email from “Google.” The IT team at the campaign confirmed the email was “real” and, to cut a long story short, the password change was initiated from the fake link in the original phishing email – and Mr. Podesta was promptly boiled and eaten by a witch. Well…not exactly…but his account was compromised, which is arguably worse and some blame him to this day for the results of that election. Yikes.

A Scottish publisher sentenced an employee to death by beheading in 2019 for falling for an email scam in which she transferred $260,000 of the company’s money to an impersonator. Actually, she wasn’t really beheaded – but she was sued by her company for the missing $141,000.

So, how do we identify phishing emails? We have a saying in the ISO – “If it feels weird, it is.” Pay attention to your instincts, particularly if an email seems to be urgent or scary – bad guys are counting on you to panic and think with your emotions, not your wits.

The first thing I do is get an overview of the entire content and see whether it’s something relevant to you. Become confident in the validity of the sender and the context for the communication. If it arrived unexpectedly, this should cause suspicion.

Stay safe and avoid online monsters:

  1. Always, no matter what, look at the sender’s email-address.
  2. Look at whether there’s a reply-to address as well. If so, why is it there? If you press Reply, does a different email address get populated, which doesn’t match the original From address?
  3. Try to determine the context of the email:
    • What is the sender wanting – and does it sound like something the real person/department/organization would have you do?
    • Is the language they’re using appropriate for whom they seem to be?
  4. Be suspicious of any links in email – period.
    • Always hover your mouse-pointer over the link and look closely at the URL that appears. It’s common for the text to say one thing but clicking it goes somewhere else – check this link out using the hover-method: https://utdallas.edu
    • Be especially wary of the shortened URLS such as Bit.ly, etc. Copy those short URLs and paste them into a URL expander site such as urlex.org.
  5. Be very suspicious of attachments – doubly-so if they’re password-protected, as this is typically used by online ghouls and goblins to avoid antivirus scans of the contents.
  6. Be extremely wary of any file that wants you to run macros in the Word or Excel file you were sent. For example, you may see something similar to this – some junk content and a request to enable macros:

Don’t fall for it.
  1. Look at the mail-headers. This is slightly technical and beyond the scope of this article to explain, but it’s a very useful skill to learn if you want to see where the email actually originated. If you don’t know how to see email headers, we can help you find them.
  2. Finally, let’s say that your account was compromised and you do recover it – always check the mail-forwarding rules in your account. Online attacks can haunt you for the long term – cybercriminals often set up forwarding so they can continue to get copies of your new emails – even after you’ve changed your password. Talk about creepy… and yes, we’ve seen this happen on accounts at UT Dallas.