How to Spot a Phishing Attack

Some­one tried to phish my email today. Phish­ing is a form of elec­tron­ic attack where­by a mali­cious per­son tries to steal per­son­al infor­ma­tion by pos­ing as a trust­ed source. The fol­low­ing email arrived in my inbox:

Phish­ers usu­al­ly suc­ceed because they dis­guise them­selves as trust­ed enti­ties, in this case like gmail.

This email looks like it came from Google. So how did I know it was a phish­ing attack?

  1. I have set up two-fac­tor authen­ti­ca­tion for secu­ri­ty alerts on my account. You can acti­vate this from your account page with­in Google. It means that they will send you a noti­fi­ca­tion two dif­fer­ent ways when there is an alert on your account. In this case, I nev­er received that sec­ond noti­fi­ca­tion, which made me sus­pi­cious.
  2. Even if I did not have two-fac­tor set up, there is no Google brand­ing on the email — not even the Google logo. That is a huge red flag.
  3. See the sender infor­ma­tion? “mailer.customerservice@gmail.com” screams fake. It just does­n’t look like any­thing else Google uses. And check this out:
    See that “via advmailservice.com?” An actu­al email provider would nev­er use a third par­ty mail­ing ser­vice to send you a secu­ri­ty alert — they would send it them­selves.
  4. I looked up advmailservice.com on WhoIs and saw it is reg­is­tered in Ams­ter­dam. No thanks.
  5. Last­ly, I right-clicked on that big blue box that says REVIEW YOUR DEVICES NOW, and select­ed “copy link address.” The result was a string of char­ac­ters at that adv­mailser­vice domain. Again, a real email ser­vice does not do that — they have their own web­sites for account infor­ma­tion and will nev­er use a third par­ty.

So this is clear­ly a phish­ing attack. I don’t think it was a spear phish (which is where a per­son is specif­i­cal­ly tar­get­ed), because the adv­mailser­vice domain seems to be a com­mon one for send­ing out mass emails. Even so, and this is always impor­tant, I logged onto my Google account inde­pen­dent­ly of the email (I did not click on any link) and checked for secu­ri­ty alerts. There were none.

This is illus­tra­tive of how tricky phish­ing attacks can be. I hap­pen to know what to look for, because sev­er­al nasty expe­ri­ences with cyber­bul­lies and the Glenn Green­wald defama­tion troll gang who tried these tech­niques on me. But the instinct we have, in part because inter­net com­pa­nies and most gov­ern­ment ser­vices tend to encour­age unsafe email prac­tices, is to sim­ply click on links in our emails.

It is a nasty prob­lem, one that had nation­al impli­ca­tions for the Demo­c­ra­t­ic Nation­al Com­mit­tee, but can pose more day-to-day chal­lenges for nor­mal peo­ple, as it can give crim­i­nals, iden­ti­ty thieves, and even hos­tile enti­ties access to our pri­vate infor­ma­tion, finan­cial data, and even health records.

I dare­say this prob­lem is get­ting worse, but solu­tions to it are few and far between. Rely­ing on smart user behav­ior, which is the pre­ferred method for defeat­ing phish­ing attacks, will nev­er be enough — some­one will always make a mis­take and an attack­er will slip in. There needs to be a tech­no­log­i­cal response to it, but there is no sense that they are get­ting any clos­er to being avail­able to reg­u­lar peo­ple.

joshua.foust
Joshua Foust used to be a foreign policy maven. Now he helps organizations communicate strategically and build audiences.