These are some notes related to my phishing workshop at the Milton Keynes Cryptoparty on 1 November.
This is the phishing handout I created for the workshop. You can also download a prettier version as a Google Document.
What is phishing?
A cyber-attack on your brain. It's a malicious message designed to fool you into handing over your credentials by directing you to a look-alike website.
How it works
Phishing attacks often pretend to be:
- Urgent technical support
- Important message from your bank, credit card, HMRC
- Lottery winning
- "Your account is in violation"
They're designed to make you panic and act quickly, without thinking.
The link in the email will take you to a spoof site, where you enter your account details and password. The scammer then steals your money or your identity.
Spear phishing is worse, as the message may contain your name and email address. It may also appear to come from a friend.
How to spot a suspicious web address (URL)
Hostnames are like snail mail addresses: most specific first. You need to read them right to left.
Spoof sites can put a genuine-looking URL at the front
Beware look-alike mis-spellings
Can you tell the difference between PayPal.com , PayPaI.com , and PayPal.com ?
The first one is the genuine
PayPal.com. The second one is
PayPaI.com , using a capital
I instead of a lower-case
l. The third uses a Cyrillic (Russian)
a instead of a Latin alphabet
How to defeat phishing
Think critically: expect messages to be attacks
Legitimate sites won't ask for credentials via email. If you're not expecting a message, think more. Look for bad spelling and grammar, images that are off, and so on.
You're not too small to be a target
Cyber-criminals like going for individuals and small businesses: they often have less security than large companies. Cybercrime is often about volume of attacks and hoping some get lucky.
Check the web address (URL)
Look for the first / character in the middle address. The text immediately to the left is the domain. Don't start with the https:// . If the address has an @ character or lots of numbers in it, be suspicious.
Some phishing sites will turn off the address bar. That alone should make you very suspicious.
Use a spam filter
They will block a lot of phishing email.
Use a password manager
It won't suggest a password if you're not at the genuine site.
Use a different password for each site. Change passwords if you think you've been a victim.
Turn on two-factor authentication
Even if you hand over your password, it may not trigger the second factor.
If you're suspicious, change your password.
Don't view images in email. Be wary of links.
Some phishing emails use scripts embedded in rich-text messages to make attacks harder to spot.
Links will often go to look-alike sites. Go to the site directly (browser history will help).
Downloading images tells spammers the message has been read.
Use site-specific email addresses
In Gmail and Outlook, use a plus sign after your address:
firstname.lastname@example.org . All these messages will still go into your main
email@example.com inbox. Use a different tag for each site.
Then, when you get an email to
firstname.lastname@example.org that says it's from your bank, you know it's almost certainly a phishing attack.
(You can set up filtering rules for these addresses, if one address gets a lot of spam.)
How good are you at spotting phishing emails? A fun way to find out is to try some online quizzes. Here's a couple I found that are quite fun.
- The OpenDNS phishing quiz
- A phishing quiz from Kaspersky (with reference to spotting "Black Friday" shopping deals)
Phishing.org is a great site for all things phishing. Well worth a look around.
The National Cyber Security Centre has some good advice for people looking to improve their organisation's anti-phishing resilience.
Cover image by Lance Anderson