How To Spot A Phishing Attempt

Jason HeathFeatured, Security Alerts

fishing pole over lake

This past weekend, we learned that Vice President Pence had a personal AOL email account compromised while he was governor of Indiana. You can read the story in the Wired article The Golden Age of Email Hacks Is Only Getting Started. A phishing attack was used to compromise then Governor Pence’s email account. Phishing and whaling (a phishing attempt with a specific high-profile target) are probably the most common ways to compromise an email account. Phishing is an attack in which the person performing the attack is trying to get some sensitive information (such as login credentials) through a deceptive email. We’ve seen a rise in phishing attempts at SBTS this past year. These attempts are far more sophisticated than fake court settlements and Nigerian princes (although those are still very lucrative attacks). These attacks are often disguised as links to sensitive information hidden behind a fake login page. The purpose of this article is to help you spot the phishing attempt before you become a victim.

Does it make sense that you should have received this email?

To spot a phishing attempt, the first step is to ask, “Does it make sense that I received this email?” Were you expecting this email? Imagine you are a part-time Housing employee at SBTS. You receive an email from Dr. Mohler requesting that you review a budget discrepancy with a link to a Google doc. Does it make sense that Dr. Mohler would be sending you this budget discrepancy? Probably not, so it was either legitimate and sent to the wrong person, or else it is a phishing attempt.

In either case, the right thing to do would be to notify the sender of the error, which allows him to either correct the error, or at least raises awareness to the phishing attempt. Unfortunately, the sinful side of our curiosity often gets the best of us, and it is tough to resist the temptation to know that information meant for someone else.

Pay attention to your address bar.

Rarely do we type URLs into the address bar of our web browser anymore. Whether we arrive at a page from a Google search, a tweet, or a link in an email, we are almost always clicking our way toward the content. When you receive an email with a link in it, pay attention to where that link is taking you. Look at the following URL:

https://dl.dropbox.com/google.com/drive/share/234kjh2348fwejkh.doc

The first step is to drop the “http://” or “https://”. It’s not uncommon for a phishing attempt to use a page hosted from dropbox.com or another site that allows you to serve webpages from within their service, so just because the URL starts with “https://” is not a sure sign that it’s a safe link. After dropping the “http://” or “https://”, we have

dl.dropbox.com/google.com/drive/share/234kjh2348fwejkh.doc

Next look for your first forward-slash (“/”), and drop that forward slash and everything after it. In our case, the first forward slash occurs after the “x” in the word “dropbox”. This reduces the URL to

dl.dropbox.com

This should now break down into text separated by periods (pronounced “dots”). Now working backwards, we take the last 2 words with the period in between, and that gives the actual domain. In our example, we now see that the actual domain is

dropbox.com

While the original link included “google.com” in the path, it lead us to a page hosted on “dropbox.com”. We’ve seen this exact example work several times.

Look for other anomalies

In a phishing attempt we saw this semester, someone received an email that appeared as a Google Drive sharing notification, but it linked to a fake Google login page hosted from within Dropbox.

  • Does the page look like the normal page you would see, or are the elements in the page slightly off?
  • If you are already logged into your email in the browser, then why are you being prompted to login to access this file?
  • If you have Two-Factor Authentication turned on for your email account, then why weren’t you prompted for the token or the second factor?
  • If there is any clue that the page you’re on may not be legitimate, close the tab or browser and back out. If you are unsure, you can always forward those emails to campustechnology@sbts.edu and we can check it out for you.

    Lastly, if you are an SBTS student or employee, you can go here https://portal.sbts.edu/phishing and enter your email address, birth date, and employee/student ID number to receive an automated phishing attempt via email from us as practice.