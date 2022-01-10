An email may seem legitimate, but you are still not entirely sure.

Phishing is a social engineering tactic that consists of tricking a user into believing that they are entering a secure site that they already know, to take them to another address with the same appearance, with the idea of ​​getting the user to deliver their credentials and expose your information.

A phishing survey conducted by ESET, a company specializing in proactive threat detection, presented participants with four phishing images along with actual messages, and just over 60% were unable to identify all of them correctly.

The free questionnaire, called the ESET Phishing Derby, was organized by the ESET team in the United States and is designed to assess how competent people are at distinguishing fake messages from real ones.

Interestingly, the results show a marked difference in the way that the youngest participants, ages 18-24, correctly identified the samples – 47%, compared to just 28% of those over 65. People between 25 and 44 years old reached 45% and people between 45 and 64 years old were at 6%.

A similar result was presented when ESET Canada conducted the same survey in late 2020, with 68% of the participants failing to identify all four samples correctly.

“You might think that with the continuous awareness campaigns on computer security issues carried out by financial institutions, cybersecurity companies, governments and similar organizations, this number should be lower, much lower, and I could agree. However, some phishing emails that land in inboxes are very well designed and look and feel legitimate, making it much more difficult to identify them as fake. This challenge will only get more difficult as cybercriminals perfect their craft, ”said Tony Anscombe, ESET Computer Security Evangelizer.

An email was identified as alleged to be from American Express. The message was a notification stating that a suspicious transaction attempt had been blocked and requesting that recent transactions be reviewed. At first glance, the email seemed legitimate; it was well written and had good graphics. However, some signals make it possible to determine that the email was fake.

For starters, the fact that the recipient of the mail did not have an American Express Business Platinum card. However, having an account, it is understandable why this message succeeded in deception and the next step was taken: open the message and possibly click on the link it includes.

The email is designed to create an emotional reaction, ‘oh no, there is fraud on my account, I need to fix it immediately, I will click’. In addition, another indicator that this email is false is that the message is not personalized since it begins by saying ‘Dear card user’ and after the ‘Account that begins with 37 **’.

American Express knows who its customers are and does not refer to them generically in communications, but includes their name. On the other hand, credit card companies typically use the final digits that are more specific to each account number and not the numbers the account begins with. Cards issued by American Express start with a number ‘3’ and then a ‘4’ or ‘7’, so the number used in the email is generic and valid for many cardholders. Which shows the broad approach cybercriminals take to catch a victim.

Key tips

ESET shares some tips on how to identify a phishing email, how to pay special attention when the email is not addressed to you personally, even though the company that is supposed to be sending the email knows who you are and generally I would send emails that include your name and not in a generic way.

While there are currently many phishing emails that are perfectly written, it is still common for many campaigns with somewhat sloppy and buggy messages. Therefore, considering that phishing emails are getting better and better designed, be sure to read them twice, as errors can be more difficult to detect.

Also, when email is not requested; In other words, it is a company with which you have never communicated.

A call to make an urgent decision; for example, you click a link and log in to review transactions or the like.

Look at the sender’s email address. Hover over the email address and note what the actual sender address is and what domain it was sent from.

Emails with attachments, for example, claiming to be an invoice or notification of some kind.

It is always better to have a security solution installed and updated on all your devices, both desktop and mobile.

“In cases where uncertainty persists as to whether an email is real or false, my recommendation is to visit the website of the alleged sender through a browser, log into their account and once inside see any messages or notifications. Anything important will be in the account notifications. If necessary, contact the company through another official channel and validate the request. ”Concludes ESET’s Anscombe.