2. Spear phishing emails target
specific individuals, using public
information like their name and
service providers to create a
false narrative.
The aim of these emails is to
manipulate the target into
giving away their confidential
data – usually by clicking a
malicious link or entering their
details into a form on a phony
website.
There’s only so much threat
protection services can do when
a user is tricked into complying
like this, so learning how to spot
a fake email is crucial.
3. 1. Check Email Addresses
The display name might look authentic, but
email addresses are much harder to falsify.
With many companies purchasing their own
domain names, attackers often have to alter
the spelling slightly – in our example you can
see that the domain misses a letter O,
spelling ‘microsft’ rather than ‘microsoft’.
4. 2. Missing Details
As already mentioned, spear phishers
will use public information on their
target to make their narrative seem
more realistic, but not everything is
available publicly.
If an email, like our example, uses no
personal information other than your
name, ask yourself, what would this
company’s emails usually include?
A username? An account number?
5. 3. Hyperlinks
If an email from an unknown source includes
lots of pushy links or buttons be wary; they
can often harbour malicious software that
can log your keystrokes or take you to a
convincing website where they can steal
your login details.
Avoiding links altogether is the best practice,
but if it seems to be for an important page
try using a trusted search engine to find it
instead, or hover over the link before clicking
to reveal the URL.
6. 4. Scare-tactics
Phishing attackers will typically use fear to
manipulate their targets, as opposed to other
attacks which may offer a reward or service.
The constructed narrative will usually involve a
large payment being owed or an account breach.
This specific example is a more subtle approach;
instead of scaring the target with large fines, it
uses a ‘one-time’ code with a time limit, pushing
the user to click the link quickly in fear of losing
their private message.
7. For more topics and training material visit the Boxphish website.