Key questions to detect phishing
There are some questions journalists should ask themselves if they receive a message.
Are you waiting for that message?
You do not wait for a phishing mail. You should always be suspicious if a sender contacts you when you are not exactly expecting their message.
The adversary only succeeds if you do something: for example, if you enter your password on a fake website or transfer money to the wrong bank account. To achieve such an action, adversaries may manipulate your emotions to get you to act irrationally.
What could that be? A few examples:
- Fear: An adversary tries to make you believe that your account has been hacked and that you have to react immediately to reduce harm. You may then panic and not realise that it was a fake website that made you reset your password.
- Success: You wrote a great story and someone congratulated you for it. By making you click on a malicious link or open a malicious attachment, they promise to show you details of a new job offer.
- Friendship: You receive a message that claims to be from a close friend and refers to things you recently did together. In reality, the sender is an adversary who checked your public profile on social media and therefore knows who your friends are.
Especially with emails, an adversary can choose a display name that completely differs from the email address. For example, the display name "Reporters Without Borders" can easily be added to the email address email@example.com. Always check the email address for accuracy, and be aware that even the email address can be forged by adversaries.
Often, an adversary makes spelling mistakes. This can be in the message itself or in the addresses. For example, an adversary could use firstname.lastname@example.org instead of email@example.com. You don’t see the difference? The first address says ‘r n a d r i d’ instead of ‘m a d r i d’.
Often, adversaries create links that seem to link to the real website but are in fact malicious. For example, https://google.com.adversary.com/help/journalists/password-stolen does not refer to google.com, but adversary.com. Adversaries sometimes also try to hide the true destination of links in HTML emails. To find out the true destination you can hover the mouse-cursor over the link, or right-click on the link, select "copy link address" and paste it in a text-editor. If you have to click on a link, you should look at it really carefully before clicking it. You should train for that in the phishing quizzes.
Adversary can hide malware in an attachment. Only opening a malicious attachment can be the end of the game. You should never click on an attachment if you are not 100 percent sure that it is legitimate.
The best way to detect phishing messages is to train that regularly. There are some quizzes out there that help you, e.g.
● by Google
● by OpenDNS
● by SonicWall