Topics

A Strong Foundation: Securing Accounts and Devices

Phishing: A common threat to devices and accounts

Last Updated: July 2022

Phishing is the most common and effective attack on organizations around the world. The technique is used by the most sophisticated nation-state militaries as well as petty fraudsters. Phishing, put simply, is where an adversary attempts to trick you into sharing information that could be used against you or your organization. Phishing can happen via emails, text messages/SMS (often referred to as SMS phishing or “smishing”), messaging apps like WhatsApp, social media messages or posts, or phone calls (often referred to as voice phishing or “vishing”). The phishing messages may try to get you to type sensitive information (like passwords) into a fake website in order to gain access to an account, ask you to share private information (like a credit card number) via voice or text, or convince you to download malware (malicious software) that can infect your device. For a non-technical example, every day millions of people get fake automated phone calls telling them that their bank account was compromised or that their identity has been stolen - all of which are designed to trick the unaware into sharing sensitive information.

 Phishing and Civil Society

Image of phishing email to Tibetan civil society

Sophisticated, personalized phishing attacks target civil society groups around the world every day.

One example of such an attack is highlighted in The Citizen Lab’s 2018 report, Spying on a Budget: Inside a Phishing Operation with Targets in the Tibetan Community. This very inexpensive and simple - yet incredibly effective - phishing attack was aimed at Tibetan human rights defenders and other activists. The attack started with a phishing email (shown at left) from a standard Gmail address that contained only an image file link. When clicked, the link brought the target to a fake Google email login page (shown in middle) that was used to steal account credentials. If victims provided credentials to the fake page, their accounts would be easily compromised. After providing their username and password to the fake site, victims would be redirected to an image (shown at right) that shows delegates in a Tibetan meeting. The image was included as a decoy to make the phishing targets believe they had actually signed in to their real Google account and reduce any possible suspicions about the true malicious nature of the email.

How can we identify phishing?

Phishing can sound sinister and impossible to catch, but there are some simple steps that everyone in your organization can take to protect against the majority of attacks. The following phishing defense tips are modified and extended from the in-depth phishing guide developed by the Freedom of the Press Foundation, and should be shared with your organization (and other contacts) and integrated into your security plan:

Sometimes, the "from" field is lying to you

Be aware that the "from" field in your emails can be faked or forged to trick you. It is common for phishers to set up an email address that looks a lot like a legitimate one that you are familiar with, misspelled just a bit to trick you. For example, you may receive an email from someone with the address “[email protected]" as opposed to “[email protected]”. Notice the extra Os in google. You may also know someone with an email address “[email protected]”, but receive a phishing email from an impersonator who set up “[email protected]” - the only difference being a subtle change of letters at the end. Always be sure to double-check that you know the sending address of an email before proceeding. A similar concept applies to phishing via text, calls, or messaging apps. If you get a message from an unknown number, think twice before responding to or interacting with the message.

Beware of attachments

Attachments can carry malware and viruses, and commonly accompany phishing emails. The best way to avoid malware from attachments is to never download them. As a rule, do not open any attachments immediately, especially if they come from people you do not know. If possible, ask the person that sent you the document to copy-paste the text in an email or to share the document via a service like Google Drive or Microsoft OneDrive, which have built-in virus scanning of most documents uploaded to their platforms. Build an organizational culture where attachments are discouraged.

If you absolutely have to open the attachment, it should only be opened in a safe environment (see Advanced section below) where potential malware cannot be deployed to your device.

If you use Gmail and receive an attachment in an email, instead of downloading it and opening it on your computer, simply click on the attached file and read it in “preview” within your browser. This step allows you to view the text and contents of a file without downloading it or allowing it to load possible malware onto your computer. This works well for word documents, PDFs, and even slideshow presentations. If you need to edit the document, consider opening the file in a cloud program like Google Drive and converting the file to a Google Doc or Google Slides.

If you use Outlook, you can similarly preview attachments without downloading them from the Outlook web client. If you need to edit the attachment, consider opening it in OneDrive if that’s available to you. If you use Yahoo Mail, the same concept applies. Do not download attachments, but rather preview them from within the web browser. Regardless of what tools you have at your disposal, the best approach is simply to never download attachments that you do not know or trust, and regardless of how important an attachment might seem, never open something with a file type you do not recognize or have no intention of ever using. 

Phishing Defense for Your Organization

If your organization uses enterprise Microsoft 365 for email and other applications, your domain administrator should configure the Safe Attachments policy to protect against dangerous attachments. If using enterprise Google Workspace (formerly known as GSuite), there is a similarly effective option that your administrator should configure called Google Security Sandbox. More advanced individual users can consider setting up sophisticated sandbox programs, such as Dangerzone or, for those with the Pro or Enterprise version of Windows 10, Windows Sandbox.

Another advanced option to consider implementing across your organization is a secure domain name system (DNS) filtering service. Organizations can use this technology to block staff from accidentally accessing or interacting with malicious content, providing an additional layer of protection against phishing. New services like Cloudflare’s Gateway provide such capabilities to organizations without requiring large sums of money (Gateway, for example, is free for up to 50 users). Additional free tools, including Quad9 from the Global Cyber Alliance Toolkit, will help block you from accessing known sites that have viruses or other malware and can be implemented in less than five minutes.

Click with caution

Be skeptical of links in emails or other text messages. Links can be disguised to download malicious files or take you to fake sites that might ask you to provide passwords or other sensitive information. When on a computer, there is a simple trick for making sure a link in an email or message will send you to where it is supposed to: Use your mouse to hover over any link before clicking on it, and look in the bottom of your browser window to see what the actual URL is (see image below).

Outlook inbox photo

It is more difficult to check links in an email on a mobile device without accidentally clicking on them - so be careful. You can check the destination of a link on most smartphones by long-pressing (holding down) on a link until the full URL pops up.

In phishing via SMS and messaging apps, shortened links are a very common practice used to disguise the destination of a URL. If you see a short link (e.g., bit.ly or tinyurl.com) instead of the full URL, do not click on it. If the link is important, copy it into a URL expander, such as https://www.expandurl.net/, to see the actual destination of a shortened URL. Furthermore, do not click on links to websites you are unfamiliar with. If in doubt, perform a search for the site, with the site name in quotation marks (e.g.: “www.badwebsite.com”) to see if it is a legitimate website. You can also run potentially suspicious links through VirusTotal’s URL scanner. This is not 100 percent accurate, but it is a good precaution to take.

Finally, if you click on any link from a message and are asked to log in to something, do not do it unless you are 100 percent sure that the email is legitimate and is sending you to the appropriate site. Many phishing attacks will provide links that send you to fake login pages for Gmail, Facebook, or other popular sites. Do not fall for them. You can always open a new browser, and go directly to a known site like Gmail.com, Facebook.com, etc. yourself if you want or need to login. That will also take you to the content, safely – if it was legitimate in the first place.

What should we do when we get a phishing message?

If anyone at your organization receives an unsolicited attachment, link, image, or an otherwise suspicious message or call, it is important that they immediately report it to the IT security point-person in your organization. If you do not have such an individual, you should identify them as part of developing your security plan. Staff can also report the email as spam or phishing directly in Gmail or Outlook.

Having a plan in place for what staff or volunteers should do if/when they receive a possible phishing message is crucial. In addition, we recommend taking these phishing best practices - not clicking on suspicious links, avoiding attachments, and checking the “from” address - and sharing them with others that you work with, preferably through a widely-used communication channel. This illustrates that you care about the people you are in communication with, and encourages a culture across your networks that is alert and aware of the dangers of phishing. Your security depends on those organizations you trust, and vice versa. Better practices protect everyone.

In addition to sharing the tips above with all staff and volunteers, you can also practice identifying phishing with the Google Phishing Quiz. We also strongly recommend setting up regular phishing training with staff to test awareness and keep people vigilant. Such training can be formalized as part of regular organizational meetings, or held more informally. What is important is that everyone in the organization feels comfortable asking questions about phishing, reporting phishing (even if they feel they might have made a mistake such as by clicking a link), and that everyone is empowered to help defend your organization against this high impact and high likelihood threat.

Phishing

  • Regularly train staff on what phishing is and how to spot it and defend against it, including phishing on text messages, messaging apps, and phone calls, not just email.
  • Frequently remind staff of best practices such as:
    • Do not download unknown or potentially suspicious attachments.
    • Check the URL of a link before you click. Do not click unknown or potentially suspicious links.
    • Do not provide sensitive or private information via email, text, or phone call to unknown or unconfirmed addresses or people.
  • Encourage reporting of phishing.
    • Establish a reporting mechanism and point-person for phishing within your organization.
    • Reward reporting, and do not punish failure.