How Not To Get Phished: It Is the Message Not the Medium

Roger Grimes KnowBe4Back in the early 1990s, when I was first getting into the IT field as a full-time network administrator, I was tasked with writing up our corporation’s new email policy. Email was just coming on as a mainstream tool and users were beginning to use it as a regular, integrated part of their lives. There was much debate over whether users would be able to send any personal emails using their employer’s email systems without getting in trouble. It seems funny that this was a big deal back then, but it was. There were users sending inappropriate emails, such as sexist and racist jokes, ads selling products or services for side jobs, etc., that management absolutely wanted to clamp down on.

With that in mind, I was tasked with writing my first corporate email policy concerning what was and was not appropriate. After the first draft was reviewed by senior management, the CEO added a note saying, “Make sure to state that sexual harassment by email is forbidden.” While I agreed with that sentiment, I laughed in my head at the time because I wondered why the special callout concerning email was needed. Sexual harassment was already illegal in U.S. workplaces, period, no matter what the medium. It was not like sexually harassing someone via fax or text messaging was allowed either. The problem is the message, not the medium.

Same thing applies with social engineering and phishing. It is the message and not the medium.

More and more, we are seeing social engineering occurring in other ways beyond traditional email and website phishing. Today, we all are exposed to scams via voice calls, text messaging and social media. And crooks are getting adept at using people’s compromised accounts to send bogus spear phishing messages to that victim’s otherwise trusting friends and business partners. Telling someone to just avoid emails from strange-looking email addresses and names is simply not enough to defeat phishing these days.

So, if social engineering and phishing come at a user a bunch of different ways, how can you teach them to avoid scams?

It is message and not the medium.

5 Signs of a Phishing Attack No Matter the Medium

Here are the five signs anyone can look for to determine if a message is possibly a social engineering scam, no matter what the medium:

  • Message is unexpected
  • Sender is asking you to do something you have never done before
  • What you are being asked to do could be harmful to yourself or organization
  • Implies action must be done immediately to prevent a negative outcome
  • For online mediums, contains a file attachment or URL link

If the first three signs are noticed, the receiver should begin to treat the message as possibly suspicious. There are phishing messages that do not contain all of these signs and legitimate messages that contain all of them. But if a message contains at least three of these attributes, then the receiver should be on higher alert that what they are being asked to do could be harmful to their interests.

Let’s cover the signs a bit more.

Message Is Unexpected

The receiver was not expecting the email, message or call. It came out of the blue and surprised them. This does not cover all phishing attacks, as some sophisticated scammers use existing, ongoing transactions, in their scams. A common example of this is mortgage escrow fraud. In these scams, buyers of real estate who are taking out a loan are often required to make an “escrow” down payment as a requirement to get a mortgage loan and close the real estate transaction. Attackers are known for exploiting escrow agents’ computers, locating in-process real estate transactions which involve escrow payments, and then sending emails to the buyers with fraudulent wiring instructions for the escrow payment. The buyers send the down payment to the wrong bank. It usually takes many hours to days for someone else to realize the required payment was not made to the correct bank and that a crime has happened. But the vast majority of social engineering attacks are regarding subjects the potential victims were not expecting at all.

Sender is Asking You to do Something You Have Never Done Before

Most social engineering scams ask the potential victims to do something they have never done before, particularly for the claimed sender. Examples include:

  • Pay an unexpected invoice
  • Allow “Microsoft” to log into their computer to resolve a computer virus problem
  • Verify a fraudulent login report
  • Buy a money voucher to pay a bill
  • Reschedule a missed delivery
  • Send money or identity details to claim a prize or monetary award
  • Call Amazon to resolve a payment
  • Send payment to keep a relative out of jail
  • Send money to prevent recorded webcam video from being publicly released, and so on

Again, not all scam messages are completely original or asking the potential victim to do something they have never done before. We probably all received unexpected bills, as an example. But even in those cases, we usually know what the legitimate ones are in reference to – we just either forgot or did not realize that a charge was involved. But we recognize the event it involves. With scams, we get a request that is totally out of the blue and we do not recognize any of the related details, other than maybe the claimed vendor brand name. And if that claimed vendor is asking you to do something they have never asked you to do before, such as FedEx sending you an email asking you to reschedule a delivery when the delivery driver also did not leave a “missed delivery” note on your door, then there is a good chance it is a fake request.

What you are Being Asked to do Could be Harmful to Yourself or Organization

Normally phishers are trying to get one of two things. Either they want you to disclose unauthorized information, often login information. But it can be personal identity information such as bank account information, social security numbers, credit card information, W-2 info, etc. Or they want you to click on a link and either sends you to a rogue website or starts to initiate a file download. The link or the file download contains content which then executes a malicious trojan horse program. In either case, what you are being asked to do could be harmful to your personal position or the organization that employs you, if the request is malicious.

Implies Action Must be Done Immediately to Prevent a Negative Outcome

Most phishing scams include “stressor events” where the victim is being told that they need to do something immediately or risk losing money, access, profit, a business deal or even someone’s health or life. The scammer is trying to appeal to someone’s “fight or flight” impulses. People emotionally motivated and in fear of losing something are more likely to perform a requested action than those who are told to take their time. Sometimes, the “negative” outcome is that the potential victim will lose out on potential profitability. Some scams appeal to people’s greed or want to get rich quickly desires. Rarely will you see a vendor claiming that not responding immediately will result in a very harmful outcome. A real vendor may say that you need to respond quickly to avoid missing out on a sale. That is normal. But they do not imply that not responding soon means you will lose all access to your account forever or lose out on tens of thousands of dollars.

For Online Mediums, Contains a File Attachment or URL Link

For phishing scams done in email, via text, social media or on social engineering sites, usually the scam will include a rogue URL or file attachment. And the desired malicious action is to induce the potential victim into clicking on the link or downloading the file. But not all phishing scams include links or file attachments. Some only include phone numbers, which if called, will take the victim to a phony branded calling center or voice mail. In any case, the scam always includes a “next step” that the potential victim needs to take now or risk some proposed negative consequences. In emails and on websites, included URL links can be investigated further (or “hovered over”) to see if the links connect back to the legitimate owned domains of the claimed requestor or brand. But any request containing two or more of the above high-risk attributes that also contain a file attachment or link, adds to the potential riskiness that the request could be malicious.

Not every rogue request has three or more of these signs. And some legitimate requests have all of these signs. The idea is that any request, legitimate or not, that has three or more of these signs is a high-risk event and the potential victim needs to spend extra time assessing if the request is bogus or not before complying.

Solution: Stop. Think. Verify.

Whenever anyone gets a message containing three or more of the signs above, they should immediately stop, think and externally verify if the request is being demanded by the legitimate vendor or requestor. This can mean calling the requestor or company on a known good phone number. Never call the sender on any phone numbers listed in the message. Never click on any included links. Instead, go to the brand’s main website, log in (if it applies) and see if the vendor’s website is still requesting that you do something. If a vendor sends you an unexpected message indicating that some action needs to be urgently done, then usually, you will see the same urgent, legitimate message when you log in.

There could be times where even after doing some quick investigating, a user will not be able to determine if a requested action is legitimate or not. If this happens, the user should not do the requested action. Instead, they should continue to try and confirm one way or another if the message is legit or not. Often, they should invite more knowledgeable experts to take a look at the message to see if they can see clues as to whether the request is bogus or not.

For email and text messages, advanced users can look at email message headers and click on links on safe forensic computers designed for forensic investigations. If you are interested in learning how to do this, consider watching my related webinars.

And if no one can determine whether the request is legit or not, in most cases, the user should do nothing. It is really up to the user as to whether they should do the requested action or not. It is a personal or organization risk decision. But in most cases, if it is a legitimate request, the requestor will be back in contact again, perhaps even using another medium. Most social engineering and phishing scams are one-time events, at least for that particular type of scam.

Download this graphic

Share this graphic below with your co-workers, family members and friends. Download the graphic to print here


Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews