You know how to identify phishing emails – a cybersecurity researcher explains how to trust your instincts to foil the attacks

An employee at MacEwan University got an email^[1] in 2017 from someone claiming to be a construction contractor asking to change the account number where almost $12 million in payments were sent. A week later the actual contractor called asking when the payment would arrive. The email about the account number change was fake. Instead of going to the contractor, the payments were sent to accounts controlled by criminals.

Fake emails that try to get people to do things they wouldn’t normally do, such as send money, run dangerous programs^[2] or give out passwords^[3], are known as phishing^[4] emails. Cybersecurity experts often blame the people^[5] who receive such messages for not noticing that the emails are fake.

As a cybersecurity researcher^[6], I’ve found that most people are good at almost all of the skills^[7] that computer security experts use to notice fake emails in their inboxes. Making up the difference comes down to listening to your instincts.

How the pros do it

In earlier research, I found that when cybersecurity experts received a phishing email message^[8], they, like most people, assumed the email was real. They initially took everything in the email at face value. They tried to figure out what the email was asking them to do, and how it related to things in their life.

As they read, they noticed small things that seemed off, or different from what would typically be in similar email messages. They noticed things like typos in a professional email, or the lack of typos from a busy executive. They noticed things like a bank providing account information in an email message instead of the standard notification that the recipient had a message waiting for them in the bank’s secure messaging system. They also noticed things like someone uncharacteristically emailing them without mentioning it in person first.

But noticing these signs isn’t enough to figure out the email is a fraud. Instead, the experts just became uncomfortable with the email message. It wasn’t until they saw something in the message that reminded them of phishing that they became suspicious. They would see an anomaly like a link that the email was trying to get them to click. In their minds, these are commonly associated with phishing emails.

Combined with the uncomfortable feeling about the email message, this reminder prompted the experts to recognize that phishing might explain the weird things they noticed. They became suspicious of the message and investigated to figure out if it was a fraud.

Good instincts

If that’s how experts do it, then what do regular people do? When I interviewed people without computer security experience, I found a similar process^[9]. Most people noticed things that seemed off, became uncomfortable with the email, remembered about phishing and investigated.

My research found that people are good at the first two steps: noticing things in the email that seem weird, and becoming uncomfortable. Almost everyone I talked to noticed multiple problems when they saw a fake email, and told me about feeling uncomfortable with the message.

References

1. ^{^} MacEwan University got an email (www.cbc.ca)
2. ^{^} run dangerous programs (www.wsj.com)
3. ^{^} give out passwords (www.nytimes.com)
4. ^{^} phishing (www.consumer.ftc.gov)
5. ^{^} blame the people (doi.org)
6. ^{^} cybersecurity researcher (scholar.google.com)
7. ^{^} people are good at almost all of the skills (www.usenix.org)
8. ^{^} received a phishing email message (doi.org)
9. ^{^} a similar process (www.ieee-security.org)
10. ^{^} CC BY-ND (creativecommons.org)
11. ^{^} You can read us daily by subscribing to our newsletter (theconversation.com)