Weird domain names, sentences full of errors, unusual requests … Phishing thugs always sow clues which, if we see them, allow us not to fall into the trap.
Email remains one of the most used vectors for mounting phishing scams where the user is led to reveal personal data: addresses, passwords, bank card numbers, etc.
Of course, all mail providers have detection technologies, but some mailings still manage to bypass them. We must therefore remain on our guard. Here are some tips to avoid being fooled
Inspect email addresses and hyperlinks
It is a reflex that you must always have. Email software doesn’t necessarily display the sender’s email address, but an alias that hackers can change at will and can be misleading.
In the example below, the hacker impersonates Société Générale. The alias is “Banque Service”, but the real address is “contact@bouchezenergie.fr”, a domain which is different from that of Société Générale. So it is a scam.
Likewise, you should always inspect any hyperlinks that are in the body of the email. If the domain does not match that of the brand represented, there is a problem. Knowing the URLs of frequently visited sites is obviously an advantage.
Beware of pretenses
Checking domain names is good, but you still have to be meticulous. To deceive users, hackers often use names that look a lot like, but are not entirely identical. For example “societegenerole.com” instead of “societegenerale.com”. Or “facebok.com” instead of “facebook.com”.
Some pirates push the envelope to use Greek or Cyrillic characters. For example “www.ıĸea.com” instead of “www.ikea.com”. Or “www.airfrḁnce.com” instead of “www.airfrance.com”. Do you see the difference ? If necessary, do not hesitate to take out a magnifying glass!
Be wary and calm
“The two most used psychological springs in phishing are trust and urgency”, tells us Thomas Kerjean, CEO of MailInBlack, a publisher of security solutions for messaging.
In the example below, the message refers to a well-known and therefore trustworthy brand. It prompts the user to log in quickly, if they don’t want their password to expire. When you receive this type of message, you should never hurry, but take a deep breath and take a step back.
Obviously, the gift is also a great classic. Even though it’s often quite rude, it still works. However, nothing is ever free, as we know.
Keep your common sense
There are some strange details that can spark off. In the example of the Societe Generale usurpation (see above), the fact that a client receives a message from the board of directors is very unlikely.
Likewise, the “tresor-public.com” address cannot under any circumstances be the tax site, due to the “.com” commercial extension. The real address ends with “finances.gouv.fr”.
A sales message full of spelling mistakes should also put you on the alert, as this hardly exists. Likewise, immediately erase messages that arrive in the form of a picture. Serious senders use text. And if in doubt, do not hesitate to seek advice from a third party for an outside opinion.
Respect these few prohibitions
“Never press a button in an email”, advises us Sébastien Gest, consultant at VadeSecure, another French e-mail security editor.
Serious vendors and providers will never ask you to log in directly from an email, but will encourage you to do so from a browser. In addition, they will never ask you to enter personal data in an e-mail.
If you receive attachments, only open PDFs, never Word documents or ZIP archives, unless you are sure they are legitimate. This type of file can activate malware when opened. In general, only open the files that you expect. Any attachment that is out of the ordinary should be banned.
Use verification services
The email you received prompts you to click on a link that you think is legitimate, but in doubt? Some free online services may allow you to learn more. On isitiphishing.org, just copy and paste a URL into the main field and the site will tell you if it’s a scam. On phishtank.com, it’s a bit the same principle, but with a less attractive graphical interface.
However, we have a preference for the latter site, because it seems to us more up to date than the first. By doing a few quick tests, we could see that some trapped sites listed on phishtank.com were not on isitphishing.org.
Whatever service you use, remember that if a site was not detected as malicious, that doesn’t mean it isn’t. On the other hand, if the service tells you that it is malicious, you can trust it. Unfortunately, these checks don’t work with shortened URLs.
Train yourself
Produced by the French publisher Vade Secure, the Phishing-IQ-Test.com site offers a fun way to practice recognizing phishing emails from real examples. The user sees about ten e-mails scrolling, and each time, he has ten seconds to give his appreciation.
The only problem is that you have to indicate a name and an e-mail address before launching the game, which has the effect of populating a commercial database. But nothing prevents you from putting fanciful data …