Phishing: Think! Check the link!

One aspect of our most recent offering – an active adversary phishing simulation – is the tracking we perform on a very certain metric.

When we’re engaging a business to measure their response to phishing attempts by bad guys, we carefully track the ‘clicks‘ on the links we send. In other words, we want to know when users click on links. Knowing that, we know who needs specific training on one of the most critical elements of cybersecurity – getting phished.

Malicious links that appear in search results, emails and DM inboxes can do a number on an organization. A short list of bad stuff that can happen might look like this; credential harvesting, malware injection and information gathering. Obviously, we want to stop that from happening.

The best thing an organization can do to combat this threat is to create a baseline of common understanding between the users on the network. Education is the very first layer of our stack – and it should be for you, too. Recognizing the bad stuff as it comes in is the first step toward actively mitigating risk.

Here’s an easy way to start practicing a skill that can save you a lot of hassle. Understanding how those links are created and employing a simple new workflow to validate them can help see harmful or deceptive links before you click.

The very first step is to take your finger off the trigger. By only using the cursor of your mouse to hover over the link (no clicky!), you can start to piece together where it’s trying to send you.

When you hover over a link, your browser will show you where it’s trying to take you.

So – imagine you’re logged into your email client, half way through the busiest day of the week. Odds are, you are processing a lot of stuff at the same time – vendor or client requests, meetings, proposals. When you’ve got a message – from anybody – that contains a link, make a quick check at the bottom left hand corner of your browser window before clicking through. If the sender has noted that the link is supposed to go to a known vendor website for an update or some kind of important message, but the link reports an unknown address when you hover over it, stop.

Let’s put some context to this.

The way links are generated (if you’re not using a button to do it for you) is like this; <a href=”http://somewebsiteontheinternet.com”> Link Text </a>

Inside the < > brackets, you can see the domain name of the site this link has been coded to take the user and, just outside of those brackets, you can see the plain-text title the link has been programmed to display. So, a bad guy might tell his link to be titled one thing, but take you to a completely different place.

Let’s test that.

Below this paragraph, I’ll create a link to a bad file (imagine something like Ransomware), but I’ll title it something trustworthy. Use your mouse to hover over the link and inspect the bottom left corner of your browser to verify the destination.

“This is a totally trustworthy link to Wikipedia.“

Here’s the best part.

The process behind verifying a link only takes a second – if that. Before you click; Think! Check the Link!