What is the term for when human users of a system are tricked into clicking on a link in an email that does not lead to where it says?

The goal of email spoofing is to trick users into believing the email is from someone they know or can trust—in most cases, a colleague, vendor or brand. Exploiting that trust, the attacker asks the recipient to divulge information or take some other action.

As an example of email spoofing, an attacker might create an email that looks like it comes from PayPal. The message tells the user that their account will be suspended if they don’t click a link, authenticate into the site and change the account’s password. If the user is successfully tricked and types in credentials, the attacker now has credentials to authenticate into the targeted user’s PayPal account, potentially stealing money from the user.

More complex attacks target financial employees and use social engineering and online reconnaissance to trick a targeted user into sending millions to an attacker’s bank account.

To the user, a spoofed email message looks legitimate, and many attackers will take elements from the official website to make the message more believable. Here’s an email spoofing example with a PayPal phishing attack:

With a typical email client (such as Microsoft Outlook), the sender address is automatically entered when a user sends a new email message. But an attacker can programmatically send messages using basic scripts in any language that configures the sender address to an email address of choice. Email API endpoints allow a sender to specify the sender address regardless whether the address exists. And outgoing email servers can’t determine whether the sender address is legitimate.

Outgoing email is retrieved and routed using the Simple Mail Transfer Protocol (SMTP). When a user clicks “Send” in an email client, the message is first sent to the outgoing SMTP server configured in the client software. The SMTP server identifies the recipient domain and routes it to the domain’s email server. The recipient’s email server then routes the message to the right user inbox.

For every “hop” an email message takes as it travels across the internet from server to server, the IP address of each server is logged and included in the email headers. These headers divulge the true route and sender, but many users do not check headers before interacting with an email sender.

The three major components of an email are:

- The sender address

- The recipient address

- The body of the email

Another component often used in phishing is the Reply-To field. This field is also configurable from the sender and can be used in a phishing attack. The Reply-To address tells the client email software where to send a reply, which can be different from the sender’s address. Again, email servers and the SMTP protocol do not validate whether this email is legitimate or forged. It’s up to the user to realize that the reply is going to the wrong recipient.

Here’s an example forged email:

Notice that the email address in the From sender field is supposedly from Bill Gates (). There are two sections in these email headers to review. The “Received” section shows that the email was originally handled by the email server email.random-company.nl, which is the first clue that this is a case of email spoofing. But the best field to review is the Received-SPF section—notice that the section has a “Fail” status.

Sender Policy Framework (SPF) is a security protocol set as a standard in 2014. It works in conjunction with DMARC (Domain-based Message Authentication, Reporting and Conformance) to stop malware and phishing attacks.

SPF can detect spoofed email, and it’s become common with most email services to combat phishing. But it’s the responsibility of the domain holder to use SPF. To use SPF, a domain holder must configure a DNS TXT entry specifying all IP addresses authorized to send email on behalf of the domain. With this DNS entry configured, recipient email servers lookup the IP address when receiving a message to ensure that it matches the email domain’s authorized IP addresses. If there is a match, the Received-SPF field displays a PASS status. If there is no match, the field displays a FAIL status. Recipients should review this status when receiving an email with links, attachments or written instructions.

Social engineering is the fraudulent practice of tricking social media users into revealing sensitive personal data or sending money to an unintended recipient.

Social engineering attacks use emotion and familiarity to trick users into doing something they otherwise wouldn’t do. An example of this is when someone calls you up pretending to be your boss asking you to do something important. This is because people tend to trust their bosses more than other people. So if you get called by someone who says he/she is your boss, you'll probably do what they say without thinking too much about it.

Social Engineering Techniques

When malware creators use social engineering techniques, they can lure an unwary user into launching an infected file or opening a link to an infected website. Many email worms and other common types of malware are spread via social engineering schemes.

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems - and is used by criminals to get the information they want. Hackers use social engineering to get passwords, but it is harder to do this than to hack them. Thus, cybercriminals use social engineering to cleverly trick people into giving them personal information or money.

Cybercriminals like to take advantage of the fact that humans are the weak links in the security chain. We can be fooled by people who are not what they seem. We should always check credentials before letting someone into our homes or businesses - and of course, this means being very aware and careful regarding which emails, texts, and other forms of communication we open and respond to.

How Does Social Engineering Work?

Social engineers use a variety of techniques to perform attacks. First, they do research and reconnaissance on the targets. For example, if the target is an enterprise organization (such as a financial institution), they might gather intelligence about the organizational structure, internal practices, common lingo used by employees, and potential business partners. Once they've done this, they'll try to gain initial access to the system. Next, they'll try to get into the systems of the people who have initial access to the system, such as a security officer or receptionist. Then they'll try to learn more about how the company operates and what they're doing. Finally, they'll try to exploit any weaknesses they find.

How to Spot Social Engineering Attacks

Social engineering attacks often come from people who want to get into your personal information. You must be aware of what you're doing online and offline. Don't give out any personal information without thinking about the consequences. A suspicious email address could be an attempt by hackers to get you to open a malicious attachment or download malware. Be careful about opening attachments that appear to be from friends or coworkers. Ask the sender if they sent the email. Human error is the weak link in a websites' security.

Types of Social Engineering Attacks and Scams

• Phishing: An attacker sends emails pretending to be legitimate companies or institutions. Users respond with sensitive data, allowing the attacker to steal private information. The attacker may even pretend to be a charity. In addition to spelling and grammar, suspicious attachments, poor layout, and inconsistent formatting are additional indicators of potential phishing attacks. These are all red flags that indicate that there could be malicious activity taking place.

• Vishing: is a social engineering attack that leverages voice communication techniques. VoIP technology makes it easy to spoof caller ID, which can exploit people's misplaced trust in the safety of phone services. VoIP also makes it easy to broadcast audio content to an unsuspecting victim.

• Smishing: is a form of Social Engineering that exploits SMS messages.

Text messages can include links to such things as websites, emails, etc. When clicked, this may automatically open a browser, email, or other application. Users may be tricked into clicking these links and falling victim to malicious activities.

Common Phishing Attack Examples

There are many giveaways regarding phishing.

• Suspicious sender's address: The sender's address may imitate a legitimate business, and thereby fool someone into thinking it is real. Cybercriminals often use an email address that closely resembles one from a reputable and popular company by altering or omitting a few characters. Even if they use the logo of a legitimate business, look at the return email address to check for misspellings.

• Generic greetings and signatures: Both a generic greeting such as “Dear Valued Customer” or “Sir/Ma'am” and a lack of contact information in the signature block are strong indicators of a phishing email. We have all received humorous emails, complete with bad grammar, from distant parts of the world indicating that you have been left a huge amount of money from a member of nobility - only requiring a small payment on your behalf to "unlock" and release the funds to you. A trusted organization will normally address you by the name you provide for transactions on that particular website and provide their contact information.

• Spoofed hyperlinks and websites: Try and put your cursor over any links in the body of the email, and you will discover that the links do not match the corresponding text. Malicious websites may look identical to a legitimate one, but the URL will use a variation in spelling or a different domain (e.g., .com vs. .net), which is very easy to overlook. Additionally, cybercriminals may use a URL shortening (such as Bit.ly) service to hide the true web destination/address of their malicious link.

• Spelling and layout: Phishing will often contain poor grammar and sentence structure, misspellings, and inconsistent formatting - all of which are other indicators of phishing attempts. Reputable institutions have dedicated professionals that produce, verify, and proofread customer correspondence before sending it to customers.

• Suspicious attachments: An unsolicited email requesting a user download and open an attachment is a common delivery technique for sending malware. Cybercriminals often use a false sense of urgency ("You Have Been Selected!" "Act Now to Save 50%") or importance ("Urgent Response Required") to help persuade a user to download or open an attachment without giving it a good examination first.

Educate your employees on how to avoid social engineering scams

Since humans are the target for social engineering scams, employees need to be educated on how to defend themselves from these attacks. The best form of prevention against social engineering attacks is employee training. Teaching your employees how to recognize the previously listed social engineering tactics and avoid them is of the utmost importance.

While machines can be tricked, people are highly susceptible to falling for many manipulative tactics. Using trusted antivirus software to flag suspicious messages or websites is vital, as well.

• Don't open any emails promising you prizes or notifications of winning.

• Scrutinize any email attachment before opening.

• Don't give out personal/business information over the phone unless you have called the valid and previously company phone number.

• Use Multi-Factor Authentication (MFA)

• Be careful about downloading apps from unknown sources - Spam emails can be very dangerous.

• Contact IT if you're unsure about anything.

In Conclusion

Intel 471's range of intelligence products can help security teams defend against threats such as social engineering and mitigate risks from the underground.

Intel 471’s Adversary Intelligence provides security teams with visibility into the cybercrime underground, including insight into actor tactics, techniques, and procedures (TTPs), motivations, and operations.

Users also can monitor for compromised credentials proactively via Intel 471's Credential Intelligence service, track weaponized malware via our Malware Intelligence and determine patch prioritization of vulnerabilities via our Vulnerability Dashboard.

What is phishing an email?

What is it called when a hacker tricks someone into giving them information?

When an attacker uses human interaction to obtain or compromise information the process is called?

What are the 4 types of phishing?

What is it called when a hacker tricks an individual?

What is the term used for a phishing attack that is targeted towards a specific person?