We’ll talk about how to counter phishing threats from messages and calls.

Messages

Despite your security defences and protections on your devices, you’ve received an email or message which is suspicious.

But hang on… first, step back, and instead of initially using your gut reactions and inherent trusting nature to work out suspicious messages, consider all emails and texts unsafe to begin with. You’ll involve your analysis and reactions but they will not be the sole basis. Phishing emails impair your normal judgement, so it is important to be slow and rational.

Consider these steps when receiving an email, text or message on an app or service.

  1. You’ve received an email, text or message. Be untrusting by default.
  2. There’s no need to rush or panic, no matter the language used and how urgent they make it seem. There’s always enough time to solve the issue. Phishing campaigns try to shock you and rush you into something, without using your full judgement.
  3. Ask yourself why, how and why now? Does the premise and nature (not the content) of the message make sense? Question the purpose of the message. Does it match something you’re doing or something you’re expecting? If it doesn’t, stop and disregard the email, and check with the account directly, not via the email. It it is something that sounds potentially reasonable, do not immediately consider it trustworthy but continue with the following steps.
  4. Disregard the persuasiveness of message content, design, layout, branding, and background information, no matter how convincing. Information included like the last 3 digits of your account number, your postcode or your name, are not enough to guarantee they are trustworthy. Personal details can be gleaned and extracted by a malicious agent prior to their campaign.
  5. If the email address or sender doesn’t look right, do not proceed. If there are typos or mistakes in the message, do not proceed. But even if the email address and sender look safe, and even if the message is free of errors, it does not mean it is safe. Phishing actors are getting more sophisticated, and email addresses and senders can be faked to fool you.
  6. The central point is to check the link, or if there is no link, consider what the message is asking you to do.
  7. Never click on a link when it is for online banking.
  8. You don’t need to click a link to access an account or fix billing issues for services and subscriptions.
  9. The important thing to remember is that you don’t need to click many of the links you receive. You can ignore them, and go to the website yourself and check if there is an issue directly.
  10. A link may be displayed in text as its URL form like "https://account·example·com" or "http://online·example·com" which can give the false impression that they are being transparent and showing you the official and trusted destination. But emails are normally HTML, which means the link text can be anything they like (to make links more friendly), and not the technical destination. The link must be inspected to view its destination.
  11. On desktop computers, you can hover over a link to see its destination. On mobile devices, you can tap and hold on a link to see its destination. This destination is helpful to gauge trust but it is not perfect — it is only the first destination, and may not be the final destination because there may be a series of redirections.
  12. In the URL, if the page is for login or has a form, for your safety it must have a padlock or show "https://", but this is not enough to ensure security. You should not see the padlock and think this is secure. HTTPS provides a secret and encrypted connection to the server in question, but does not guarantee identity and trust — it does not state that the server you are connecting to is the correct one.
  13. When reading the URL by previewing the link or in the URL bar, it should be read backwards in sections from the first slash after "https://" or "http://". The section at the end is the ultimate domain authority in the URL.

    For example, in "https://account·example·com", "example·com" is the domain authority, the site is ultimately hosted and controlled by "example·com". In "https://example·account·com", "account·com" is the domain authority. While looking similar, these are entirely different sites run by completely different entities, and one can be used to masquerade the other in a phishing attack. The label "account” is a subdomain in "https://account·example·com", representing a server or zone within the authority of "example·com".

    Consider "https://login·facebook·com" and "https://login-facebook·com". The former is on the official Facebook website, the latter is not on "facebook·com" but another domain entirely; it is a domain not owned by Facebook that could be used by a malicious party to fake the Facebook login page. Anyone can register a domain in minutes and get set up with a server to host their site.

    How are you meant to know the URL really corresponds to a particular brand? Take the URL for Metro Bank in the UK: "https://www·metrobankonline·co·uk". URLs and domains are not perfect and often have additional words. This muddies the waters because even legitimate brands are using non-ideal URLs. How is a user meant to know the URL is official by reading it — someone who is not Metro Bank might obtain "metrobank·co·uk" and by appearance this looks official.

    And how is someone who hasn’t encountered the brand yet meant to know the URL is trustworthy when they haven’t seen it before. URLs rely on being seen before by the user as for identity and trust.

    Given these issues, it’s extremely difficult to read URLs and evaluate them for trust, and since the URL is the cornerstone of website identity and trust, it can be challenging to protect yourself from phishing.
  14. Take a final reckoning and appraisal of the situation. If it doesn’t sit right with you, if something’s off, if it sounds too good to be true, it probably is. If it feels wrong and unsafe, do not proceed.
  15. You don’t have to work it out alone. You can ask a colleague, friend, IT or family for help determining safety of a message. You should do this in person rather than sending the message, link or screenshot. And read on for more robust trust solutions from us.

Password Resets and Confirmation Links

  • When you have initiated a password reset for a service, you will often receive a link in your email inbox to confirm you use that email address, so you can have reasonable confidence in a password reset email if you ask for it and it is received immediately, and that you initiated the password reset from the official service and not from another email. We say “reasonable” because it is not a complete phishing defence, it is still possible to be phished if the origin is not safe or the destination is not checked.
  • If you are logging in to the official service (you arrived there with trust) and it sends you a “magic link” or confirmation link, you can reasonably trust the link if it is sent immediately in response to your actions. Often they include codes as well as links so you can enter the code on the website rather than clicking the link. We say “reasonably” because it is not a complete phishing defence, it is still possible to be phished if the origin is not safe or the destination is not checked.
  • It is currently difficult to know if you’re on the official website when you initiate actions, and sophisticated phishing campaigns will time emails in response to your actions via luck or intelligence. It is critical to know you’re on a trusted website to begin with, and it is still important to know a link is official and where it is taking you.

Reflections

Legitimate company emails often use poor URLs for their marketing campaigns and don’t use their canonical address. This makes separating the wheat from the chaff even harder.

When reading a URL, even if you know the expected URL, there are IDN homograph attacks which use non-Latin alphabets like Cyrillic and Greek to use replacement letters that look identical to the A-Z Latin equivalents. Some platforms transform these into their actual technical versions (Punycode) but not in all cases.

You cannot inspect the final destination URL in a message. You do not know ahead of time where it will redirect to. There is no secure way to check a link or webpage is trusted — privacy-preserving link checking tools are not prevalent.

URLs are difficult to read for humans. It’s hard to work out if they’re safe and it’s hard for us to link them to brands.

At Epi, we’re here to change web trust for good. We have tools and services that launch you to official websites, protect you when clicking a link and when you’re on a webpage, so you can be confident that you’re on a trusted and authentic website, and that you’re on the official website for the brand intended. Our trust-first platform is built with true privacy and security at the heart.

Calls

When receiving a call, be slow, methodical and rational in your approach.

  1. You’re being called. You may see the number or name with Caller ID, but it does not matter what is displayed. Names and numbers can be faked by malicious callers.
  2. Don’t believe they are who they say they are. They may sound friendly and professional. They may purport to be a representative from the organisation in question, potentially even masquerading as a fraud team, making it sound like they’re on your side and trying to help you.
  3. No organisation needs your password or secret details, no matter the authority. Even if it’s a bank, the police, council or government. Official authorities will never ask and do not need your sensitive personal details.
  4. If you’re not expecting the call, hang up. Malicious parties can attempt to hold the line open, so make sure the line is clear by hearing the dialling tone and calling an innocuous number like 123 (time service in the UK) or 1471 (last caller for those in the UK). After some time, you can call the organisation yourself.