Phishing Detection: Identifying Phishing Emails and Websites

What Is Phishing Detection? 

Phishing is a form of cyberattack where attackers attempt to trick individuals into revealing sensitive information, such as login credentials or financial details, by impersonating a trustworthy entity via electronic communication, typically email. The attacker often manipulates the victim’s emotions or uses a sense of urgency to achieve their goals.

Phishing detection is the process of identifying phishing attacks in their early stages, warning users and administrators, and ideally, mitigating the threat. Phishing detection is constantly evolving, as attackers develop new tactics and techniques. To be effective, phishing detection measures must be regularly updated and maintained, and both security teams and individual employees must remain vigilant in their efforts to identify and prevent phishing attempts.

Phishing vs. Malware vs. ATO vs. BEC

There are important differences between phishing and other cyberattacks:

• Malware (malicious software), referring to any software designed to cause harm to a computer, server, or network, including viruses, ransomware, and spyware. Phishing can be used to infect a victim’s machine with malware.
• Account Takeover (ATO), an attack where cybercriminals gain unauthorized access to a user’s account, often using stolen credentials, to perpetrate fraud or other malicious activities. Phishing is often a component of ATO attacks.
• Business Email Compromise (BEC), a targeted phishing attack where cybercriminals impersonate executives or high-ranking officials within a company to manipulate employees into transferring funds or divulging sensitive information. Phishing is typically used as part of a BEC attack.

While it is important to detect and prevent phishing, it may not be enough to prevent these other types of attacks, which could be carried out via other attack vectors.

Related content: Read our guide to phishing types

Can Machine Learning Help Detect Phishing Attacks?

Machine learning can help detect phishing attacks by leveraging its ability to learn patterns and identify anomalies in data. It can be used to create models that can automatically distinguish between legitimate and malicious emails, websites, or other forms of communication. Here are several ways ML can be utilized to detect phishing attacks:

• Text analysis: ML can analyze the text in emails or on websites to identify patterns that are commonly associated with phishing attacks. These include suspicious keywords, phrases, or links that may be indicators of a phishing attempt.
• URL analysis: ML models can analyze the structure and content of URLs to identify suspicious features, such as unusually long URLs, the use of special characters, or the presence of multiple subdomains. These characteristics can help the model differentiate between legitimate and phishing websites.
• Domain analysis: By analyzing the domain information and the SSL certificates of websites, ML models can identify discrepancies and abnormalities that may indicate a phishing attack. For example, a short domain registration period, a recently registered domain, or a lack of SSL certificate can be red flags.
• Email header analysis: ML can examine email headers to identify suspicious sender information, such as spoofed email addresses, irregularities in the “from” or “reply-to” fields, or the use of public email services for supposedly official communications.
• Image analysis: ML models, such as convolutional neural networks (CNNs), can be trained to analyze images on websites, such as logos or banners, to determine if they are imitations or manipulations of legitimate images. This can help identify counterfeit websites used for phishing attacks.
• Behavior analysis: ML can be used to analyze user behavior, such as mouse movements, click patterns, or keystroke dynamics, to identify deviations from normal behavior that may indicate a phishing attack.
• Anomaly detection: ML models can be trained to recognize patterns of normal activity and flag deviations or anomalies that may signify a phishing attempt. This can include unusual email sending patterns, unexpected network traffic, or other out-of-the-ordinary events.
• Real-time detection: ML models can process and analyze data in real-time, which allows for the rapid detection of phishing attacks as they occur. This quick response can help minimize the damage caused by such attacks.

By employing a combination of these techniques, ML can be an effective tool in detecting and preventing phishing attacks. However, it’s important to remember that no solution is perfect, and a multi-layered approach incorporating both ML and traditional security measures is essential for robust protection.

Related content: Read our guide to how to prevent phishing

Tips for Identifying Phishing Emails

Email phishing refers to email-based attacks where cybercriminals impersonate reputable senders like government organizations or well-known corporations. The attackers aim to collect sensitive information, infect devices with malware, or gain unauthorized access to applications and data. 

Recognizing phishing emails might be challenging as they often resemble legitimate messages. Here are some warning signs to consider:

1. Email authentication checks failure: Phishing emails often fail Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), or Domain-based Message Authentication Reporting and Conformance (DMARC) checks. Legitimate emails rarely end up in spam folders.
2. Mismatched sender’s email address and domain name: The sender’s email address should match the organization’s domain name. For example, a fake email might use [email protected] instead of the real domain, [email protected].
3. Generic greeting: Phishing emails frequently use generic greetings like “customer,” “account holder,” or “dear.”
4. Unusual sense of urgency or time limit: Phishers may create a false sense of urgency, e.g., offering a gift card within 24 hours or urging password updates due to a data breach.
5. Errors in the email body: Poor grammar, spelling, and sentence structure can indicate an illegitimate email source.
6. Mismatched links and sender’s domain: Phishing emails often contain links to malicious sites or masked links in the email body, while legitimate requests usually direct users to the sender’s domain.
7. Call-to-action (CTA) linking to the sender’s website: Phishers may use links that appear legitimate but redirect users to malicious sites or trigger malware downloads. Reputable organizations typically avoid asking for sensitive information via clickable links.

Bear in mind that more sophisticated phishing attempts might not show these signs, and may be very difficult to detect without automated tools.

Real Life Examples of Phishing Emails

Example 1: Emergency services coverage scam

A rural hospital entered into a contract with the ED group for emergency services coverage. Each month, they received an email invoice, paying over $200,000 for the provided services. The fraudulent emails persisted for several months until it was discovered that the ED group never sent payment requests via email. Consequently, the hospital lost $407,000 due to this scam.

Human error is a common factor in phishing attacks, and in this instance, the hospital staff could have identified the scam earlier. When the first payment was rejected by the ED group due to a blocked account, the hospital should have been more vigilant when resending the payment to a new account number.

To address the issue, the hospital prioritized cybersecurity training and two-factor email authentication for all managers. They also revised their transfer procedures, requiring verbal confirmation from vendors for financial transactions. This phishing example emphasizes the importance of verifying email sender addresses, especially when handling large sums of money.

Example 2: FACC incident

In January 2016, an employee at Austrian aerospace parts manufacturer FACC received an email requesting the transfer of €42 million to another account for an “acquisition project.” The email appeared to be from the company’s CEO, Walter Stephan, but was actually a scam.

The unsuspecting employee complied with the request, leading to the loss of funds. Following an internal investigation, both the CEO and CFO were fired for severe violations of their duties. This incident highlights the need for caution when dealing with high-value transactions and the importance of verifying the authenticity of email requests.

Example 3: Upsher-Smith Laboratories case

CEO fraud is a type of phishing email that exploits a company CEO’s name to deceive employees into revealing information or making financial transfers. In the Upsher-Smith Laboratories case, attackers convinced the Accounts Payable Coordinator to urgently transfer around $50 million in nine separate transactions to the “CEO’s account.” The account actually belonged to the cybercriminals.

While the employee bears significant responsibility, other factors contributed to the loss. The bank should have verified the large, frequent transactions, and the company should have had a procedure for handling such transfers. The process was halted at $39 million, but the damage had been done, and the funds could not be recovered.

This costly lesson demonstrated the importance of confirming unusual requests, even if urgent and appearing to come from the CEO. Establishing proper procedures may be time-consuming but is invaluable in preventing financial losses.

Bonus Example: See how a Two-step Phishing attack was caught by Perception Point

Tips for Identifying Phishing Websites 

A phishing website is a fraudulent online platform created by cybercriminals to deceive visitors into providing sensitive information or performing specific actions that benefit the attacker. These websites often impersonate legitimate businesses, financial institutions, or other trusted organizations to manipulate users’ emotions and sense of urgency. Phishing websites typically collect personal data, login credentials, or financial information, which can be used for identity theft, financial fraud, or other malicious purposes.

The water-holing technique is a tactic used by cybercriminals to target specific groups or organizations by compromising websites that their intended victims frequently visit. The attacker identifies a website commonly used by their target audience and exploits vulnerabilities in the site’s security to install malware or redirect users to a malicious site. The goal is to infect the victim’s device with malware, gain unauthorized access to sensitive information, or establish a foothold within the target organization’s network.

To identify phishing websites, users can employ various strategies, such as:

1. Checking the URL: Carefully examine the website’s URL for any inconsistencies, misspellings, or other irregularities that might indicate a fraudulent site. Attackers often use look-alike domains or subtly altered URLs to deceive users. Be wary of websites that use unfamiliar top-level domains (TLDs) or contain a string of seemingly random characters.
2. Identifying redirects and URL shorteners: Cybercriminals may use redirects or URL shorteners to conceal the true destination of a link. These techniques can make it difficult for users to determine whether a website is legitimate or not. Before clicking on a shortened URL, consider using a link expander tool to reveal the actual destination. Be cautious of links that redirect to unexpected websites or ask for sensitive information.
3. Scrutinizing the website’s content: Phishing websites often contain spelling errors, poor wording, or low-resolution images to create a sense of urgency or deceive users. Examine the site’s content for any inconsistencies or red flags that might suggest it is not genuine. Legitimate businesses typically invest time and resources into creating professional, high-quality websites.
4. Researching the ostensible sender: If the phishing website claims to be associated with a specific company, verify that the company is legitimate. Cross-check information and reviews from multiple sources to avoid being misled by fake reviews or deceptive claims. Be skeptical of businesses with little online presence, minimal contact information, or a history of negative reviews.
5. Ensuring payment methods are secure and legitimate: Scam websites are more likely to request payment in the form of a bank transfer, cryptocurrency, or other less traceable methods. Legitimate businesses typically offer secure payment options, such as credit cards or well-known payment processors. Before providing payment information, verify that the website uses a secure connection (indicated by “https” and a padlock symbol in the URL) and research the company’s refund policies and customer support.

In addition to these strategies, users can also employ various tools and resources to help identify phishing websites. Browser plugins and security software can offer real-time protection against known phishing sites, while online databases and reporting services can provide up-to-date information on recently identified scams.

Real Life Examples of Phishing Websites 

Here are some examples of phishing websites scams:

Example 1: COVID-19 pandemic-themed phishing attacks With the onset of the COVID-19 pandemic in 2020, attackers took advantage of the situation and launched numerous phishing attacks related to pandemic relief, vaccines, or health information. For example, phishing websites impersonated the World Health Organization (WHO) or the Centers for Disease Control and Prevention (CDC) to collect personal information or spread malware.

Example 2: Zoom phishing attacks 

During the pandemic, the use of video conferencing platforms like Zoom increased significantly. Attackers capitalized on this trend and created phishing websites that mimicked Zoom login pages to steal users’ credentials. They would send emails with a fake meeting invitation, which redirected users to a phishing site when clicked.

Example 3: Netflix attacks 

In 2020, phishing attacks targeting Netflix users became prevalent. Attackers sent emails that appeared to be from Netflix, claiming that the user’s account had been suspended due to payment issues. The email contained a link to a fake Netflix website, where users were prompted to enter their login credentials, billing information, and personal details.

Example 4: Google and Microsoft impersonation attacks

In 2020 and 2021, cybercriminals launched phishing campaigns that impersonated Google and Microsoft services. They sent emails that appeared to be from these companies, with subject lines like “Critical security alert” or “Action required: Update your payment details.” The emails contained links to fake login pages designed to steal users’ credentials.

6 Security Tools that Can Help Detect and Prevent Phishing Attacks

Detecting phishing attacks can be challenging, but using security tools can significantly improve your chances of identifying and avoiding these threats:

1. Email security solutions: Deploy email security solutions which use advanced filtering techniques to identify and block phishing emails before they reach users’ inboxes. These tools analyze email content, headers, and sender information to detect potentially malicious emails and quarantine or flag them.
2. Anti-phishing browser extensions: Install anti-phishing browser extensions. These extensions check the websites you visit against a database of known phishing sites and provide a warning if you attempt to access a potentially malicious website.
3. Antivirus software: Use antivirus software with anti-phishing features. These solutions can scan incoming emails and web pages for potential phishing attacks and block access to malicious websites.
4. Enable two-factor authentication (2FA): Implement 2FA for your accounts whenever possible. This adds an additional layer of security, making it more difficult for attackers to gain access to your accounts, even if they obtain your login credentials.
5. Use Domain-based Message Authentication, Reporting, and Conformance (DMARC): Implement DMARC for your domain’s email configuration. DMARC helps prevent email spoofing by verifying the authenticity of the sender’s domain and providing reports on unauthenticated emails.
6. Monitor and analyze network traffic: Use a network security tool such as a Security Information and Event Management (SIEM) system or Intrusion Detection System (IDS) to monitor and analyze network traffic for signs of phishing or other malicious activities.

By combining these security tools and best practices, you can improve your organization’s ability to detect and prevent phishing attacks. Regularly review and update your security measures to stay ahead of evolving threats and protect your sensitive data and systems.

Learn more in our detailed guide to how to prevent phishing 

Phishing Detection with Perception Point

Perception Point delivers one platform that prevents phishing, malware, ransomware, APTs and zero-days from reaching your end users.

Advanced Email Security is an integrated cloud email security solution (ICES) that can replace SEGs. The solution cloud-native SaaS solution protects your organization against all threats using 7 layers of advanced threat detection layers to prevent malicious files, URLs, and social-engineering based techniques.

Advanced Browser Security adds enterprise-grade security to your organizations native browsers. The managed solution fuses browser protection technology with multi-layer advanced threat prevention engines which delivers the unprecedented ability to detect and remediate all malicious threats from the web, including phishing, ransomware, malware, APTs, and more. Multi-layered static and dynamic detection capabilities instantly detect and block access to malicious/phishing websites and prevent malicious file downloads of ransomware, malware, and APTs.

Advanced Threat Protection for Cloud Collaboration, File Sharing and Storage Applications, such as Microsoft 365 applications (OneDrive, SharePoint, Teams), Google Drive Box, AWS S3 buckets, Zendesk, Salesforce, and any of the other hundreds of apps out there, protects your organization with near real-time dynamic scanning. It does not tamper with files and does not impede on productivity.

An all-included managed Incident Response service is available for all customers 24/7 with no added charge. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Get a demo today!