Trick-or-Treat: Security Awareness Edition - Phishing

🎃 Trick-Or-Treat: Security Awareness Edition - Phishing 🎃

Hello again, Gabriela from CYBR here ! With Halloween just around the corner, we've decided to celebrate Security Awareness Month and the spookiest season with a twist on a little well-known tradition at this time of year. The answer is at the end, but try your best not to peak before making it through the scenario!

📨 New Sign-In Detected ? Phishing Email Trick Or Is This Warning A Treat ?

You've woken up, gotten ready and had your morning coffee, or maybe it was tea. Now you're at work, and like every morning before this one, you're scrolling through an inbox filled with emails. Suddenly you notice that one that stands out from the crowd. This email appears to have come from Microsoft, with the title "NEW SIGN-IN DETECTED". You feel confused and a bit alarmed because you've been using the same computer for over a year and haven't signed in with any new devices recently (or did you?)

Abandoning the notion that "curiosity killed the cat", your intrigue gets the best of you, so you click to open the email. The message inside explains that your account has recently been signed in at an unfamiliar location, using a device you have no prior recollection of. You feel your heart drop into your stomach -- what's going on? How could this happen to me? (Especially on a day which had begun all too mundane)

You scroll a little further only to realize that you've got options. If you did sign in from a new device or location, you can gladly ignore the message and get back to your goal of "inbox zero", but this isn't your fate (at least not today). Your eyes fall upon a magic button placed within the email for those who don't recognize the sign-in. You're just one click and a series of verification questions away from your account being secure again!

It's your lucky day...

or is it?

How to tell if an email is a potential phishing threat!

What you need to do in this case is stop and make a few observations. We haven't looked at enough information to know whether or not it is safe to click anything within the email. I'll give you a couple tips that you can use to find out if this email and others like it are a nasty phishing trick or a treat to get your account back under control.

1. Did you verify that the email address belongs to the organization it appears to be coming from ?

✅ YES ! (Good Job) ❌ NO! (Check the sender's email address)

With some email service providers (such as Gmail), hovering your mouse over the sender's name/email address prompts a pop-up showing the sender's full email address. If your email provider doesn't offer the hover feature, you should still be able to see the sender's full email address and verify its legitimacy. Also, look out for generic public email domains like Gmail, Hotmail, Yahoo..etc.It is highly unlikely that a professional company will use a generic email address for official communications.

2. Don't Click Anything! Did you verify the link /button URL source ?

✅ YES ! (Good Job) ❌ NO! (Please verify the link/button URL source)

Please do not click the link or button. You can discover the URL source by letting your pointer hover over the link. Doing this will give you more information than whatever text is visible to your eyes. Remember that a hacker will try to deceive you with whatever you can see on the page. Verify that the URL leads to a website the organization would be expected to use. In our example -- the link should take you to a "Microsoft.com" URL.

3. Watch out for typos and punctuation errors ! Did you check for these errors in the email address, title or email body text ?

✅ YES ! (Good Job) ❌ NO! (Please look carefully for typos in the email address, the email title and the text within the email)

Phishing email templates sent out by attackers are often auto-generated, because of this, typos and punctuation errors are common traits in most phishing emails.

4. Don't open any attachments !

If the email is in fact a phishing email, any attachments included could be malicious and prompt the download and installation of malware/ransomware etc. There have even been examples where the sender appears to be a potential job seeker. Unfortunately, when the receiver clicked the attachment ( CV in "PDF" format ) .. malicious downloads were triggered. Be very careful and as a general rule, if you do not know that you can fully trust the email's sender, do not open attachments.

5. Be suspicious about a sense of urgency !

Most phishing emails and social engineering threats have this in common. The attacker often creates a sense of urgency, increasing your likelihood of acting before thinking clearly.

Phishing Email Trick-Or-Treat Answer

While this scenario was just for fun and there isn't a real answer, there is some good news! You now have a couple things to keep in mind the next time you're scrolling through your inbox. Use the checklist above if you're ever unsure whether an email you've received could be a hacker's tricky way of gaining access to your data.

Until next time !

👻 Happy Halloween and Security Awareness Month 👻 Feel free to share this with your friends and colleagues to see how they would have voted -- Trick Or Treat! If you're in the mood to be spooked, discover the new face of the classic callback scam (Callback Phishing) or check out just how easy it is for hackers to guess your password.