Phishing has no limits. Everyone that uses email to communicate will at some point be the recipient of a phishing email. In the spot a phish series we'll be taking a closer look at some phishing lures to help you mentally prepare for these attacks before they hit your inbox.Content Clues
The first lure is representative of a vast majority of lures that we see. For starters, it capitalizes on the universal language of money. Because this is a mass distributed phish, the threat actor needs to find a commonality among the recipients. For this reason, we see the use of "invoice attachments" employed exhaustively. Lures in all languages utilize this tactic. One would think this practice would get old and at some point become ineffective but it must be producing results for cybercriminals; otherwise, why would they keep it up?
The subject line of this email is "Invoice" and the body indicates that the invoice was requested by the recipient.
Lesson #1 from this lure: Any time you receive an email about an invoice, you should go on high alert.
Example of a phishing lure distributing Locky Ransomware
Wake Up! Spelling, Grammar, and Punctuation Errors
The second very common red flag in an email is found with misspellings and grammatical errors as well as overuse or misuse of capitalization and punctuation. As you can see in this lure, there are several errors, highlighted in red (below).
Spelling, punctuation, and capitalization errors in phishing lure distributing Locky ransomware.
Lesson #2: Pay attention! I know you're in a hurry; everyone is busy but spelling and grammar errors are obvious red flags if you're alert.
Contextual clues in the email can also help identify a phish. You should always ask yourself a few questions:
- Does it make sense that this person is sending me an email?
- Am I expecting an invoice from this company or person?
- Does the sender's email address match the company domain? (this can be misleading since email domains can be easily spoofed but still worth noting)
Lesson #3: Consider the context of the email. This lure containing an invoice is unexpected.
Stop, Think, Hover
Also noteworthy is that the attachment has no name, it's just a bunch of random numbers and letters. Anytime you are about to click on an attachment or a link, you need to be extra cautious.
Lesson #4: Take caution before ever clicking or opening.
Ransomware Ruins Your Day
Another reason this is a very common type of lure is because it's distributing ransomware. This particular one is spreading Locky, one of the first and most resilient ‘mass distribution’ ransomware families. Ransomware will ruin your day in a hurry if you inadvertently click or open and attachment and one of these nasty little scripts run on your machine.
The human firewall is the final defense against ransomware but there are other mitigation techniques which we explore in depth in this recent blog post: How to Identify and Block Ransomware.
The lessons we draw from this email lure include:
- Any time you receive an email requesting money (possibly by including an "invoice") you should go on high alert.
- Spelling, grammar, punctuation errors and misuse of capitalization are all red flags that warrant your attention.
- Consider contextual clues - who is it from, what is it about, is it sent to the appropriate email inbox etc.
- Before opening or clicking on a link, you need to be confident in its legitimacy.
We look forward to sharing more lures and resources as part of our National Cyber Security Awareness campaign. Together, we can all become more #cyberaware. Fill out the form on this page to ensure you receive the resources.