Skip main navigation

£199.99 £139.99 for one year of Unlimited learning. Offer ends on 28 February 2023 at 23:59 (UTC). T&Cs apply

Find out more

Tactics and Examples of Phishing Attacks

In this video, you will learn about the tactics phishing attackers use and work through real-life examples.
This is an example of an actual phishing email with several red flags. The first red box is an artefact that is added by the specific spam filter being used. You may not see this. The next box indicates the urgency I talked about earlier. This is bold, all caps, important. The next clue is that if you hover over the link that is supposed to take you to Kiwibank, it’s to Istanbul something I can’t pronounce. And lastly, there is no personal signature and no contact details. Here are more clues in this email ostensibly from Facebook. First, if you look at the sender’s email address, it’s obviously not from Facebook. Second, there’s no personal name or contact details for the sender.
Next, the email is not personalised with your name anywhere. It just refers to you. And if you hover over the go to Facebook button, the link goes to rather than Facebook. Here are a few more subtle things to be aware of and to look for. Remember that the from address can be easily spoofed, as I will show you later in an email I got from myself. Next, if the sender is someone you have previously received correspondence from but the format looks different, you should be suspicious. And again, hover over that link to see where it goes. In this case, it goes someplace much different than what it states. This is an actual email my former boss received.
This one is a classic. Someone has passed away, and for some reason, his lawyer has chosen you, a complete stranger, to inherit millions of dollars. The email reads, “Dear Friend, I am Mr. Johnson Cole, a personal attorney to a foreign national who has died of a heart attack in 2012 without any registered next of kin as he was long divorced and had no child. My client left behind US $5.7 million five million seven hundred thousand United States dollars. The bank had issued me a notice to come forward for the claim or have his account confiscated.
Since I have been unsuccessful in locating any relatives of my deceased client, I contacted you because you have the same name with him and you can perfectly fit as next of kin to my late client. We can work together as partner to enable us claim the fund and share it 50-50. I will give you more details as soon as I hear from you. Best regards, Mr. Johnson Cole.” This scam exploits greed, which admittedly can be pretty effective. Note the many grammatical errors, along with the highly implausible story. There are no links or attachments here, so the attacker is depending on you to respond to him. At which point, he will ask for your banking information and other personally identifying information.
This one is timely and relevant because it’s taking advantage of the current pandemic. Again, it exploits greed. The email reads, “You have been chosen for a donation of humanitarian funds of $20,000 US help fight the outbreak of coronavirus, which have become a global disaster. I Mr. Mavis Smith Maureen have decided to donate some funds to assist the less privileged. Contact now for more details.” And then there’s an email address to click. As in the previous example, the attacker’s probably targeting your banking information. According to the US Secret Service webcast I attended, there have been over 12,000 new fraudulent Covid-19 websites set up between March and June of 2020.
Another of my co-workers received this urgent request to update his Amazon account. Note both the address, the from is clearly not Amazon, and the to is “undisclosed recipients”. Again, there are multiple grammatical errors. If you click this attachment, it will download some type of malware as I mentioned before, such as a key logger, spyware, a remote access Trojan, ransomware, or a crypto minor. And here’s one I just received from myself. That’s the email address to my cyber security website. Note the link, which would take me to a malicious website. I know I didn’t send that email to myself. So how do I find out who did send it?
You can go to your webmail server to get this information, but you can also find it right in Outlook if that’s what you’re using. If you aren’t using Outlook, just look up how to see the full email header in the service you use. In Outlook, you open the email. And at the top of the screen, click the little box and arrow by Tags. And it will open a new window showing the properties of the email. At the bottom, look in the internet headers box and you can scroll down through that information to see the true email of the sender. And you can see it here. What can you do to avoid phishing attacks?
Be aware of the many red flags that I discussed. Another important part of awareness is to follow what I call the nerd news. Subscribe to news feeds or listen to podcasts that supply you with up to date cybersecurity information. Obviously don’t click on links or attachments in emails unless you verify they’re from a legitimate source. Use a good spam filter, but don’t fall into a false sense of security thinking it will catch every phishing email. Use authentication checking. There are several forms, sender policy framework, or SPF, domain keys identified mail, or DKIM, or domain based message authentication reporting and conformance, also known as DMARC. Avoid sending personal information over email.
Verify any suspicious requests, especially those that involve money transfers or credentials. And for many reasons, not just phishing, use strong passwords. And do not reuse passwords on different accounts. In conclusion, you have learned what phishing is, what objectives attackers are aiming for in phishing, and that everyone is at risk for phishing. We discussed many red flags and warning signs of a phishing attack and went over several examples of phishing and what you can do to protect yourself and your organisation from a phishing attack. In the next video, we will discuss spear-phishing, a specifically targeted type of phishing. I look forward to seeing you there.

In this video, you will learn about the tactics phishing attackers use and work through real-life examples to identify the warning signs one should look out for to identify a phishing attempt and defend against it.

This article is from the free online

Cyber Security Foundations: Common Malware Attacks and Defense Strategies

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education