Phishing emails continue to be the preferred attack method for threat actors. They are lost cost and can be mostly automated. The only real defense against them is awareness and diligence.
A brief history of phishing
Early phishing emails used generic language and were mostly text. On occasion, that text would include the name of the organization to increase trust. Users were simply asked to reply to the sender with their username and password.
As technical teams became more aware of the issue, they were able to respond and take action rather quickly. Technology was eventually developed that could detect such messages and block them before they reached anyone. However, this just began a type of cat-and-mouse game between IT and the phishers. That "game" continues today and can be rather advanced.
A few examples of phishing emails
In addition to learning How to Recognize Phishing Emails, seeing actual examples can help users better recognize when they receive one. The following are real phishing emails received by the Information Security Office in the past year.
In this example, the attackers are leveraging a common experience where you are asked to log into another service to access a message. This is normally seen with financial institutions such as your bank. In this case, the Read Message link takes users to a hacked website that had a username and password field.
In this example, the attackers take a simpler approach. They are attempted to create concern in the recipient by saying their email address has expired. The link in the message takes users to a hacked website asking for their username and password.
In this example, the attackers combined both of the above attacks. They first create concern and urgency by indicating there are messages being held pending release. Then it provides an instruction that the messages must be released to the inbox by clicking a link. Again, the link takes users to a hacked website that looks similar to login pages you might normally see.
We know that some of these messages can be very convincing. If something seems suspicious or you just want an extra eye, you can email firstname.lastname@example.org and we will evaluate the message.