Cybersecurity New Year’s Resolution #3: Test your phishing awareness
This January, we’re giving you four ways to stay digitally safe in the coming year. We’re calling these “cybersecurity New Year’s resolutions”, but really, these are best practices that you can implement at any time. And if you’re already doing some or even all of these things, take a moment to share these suggestions with a family member, friend, or coworker: It could make a real difference to them in the year to come.
Why you should do it
Over the last couple of weeks, we’ve talked about how to improve your cybersecurity posture with password managers and two-factor authentication. And if you listen to our Checklist Podcast, you know that we’re always telling people to keep on top of their updates! But aside from poor password practices and unpatched software, one of the main threat vectors used by malicious actors is phishing. We all know that we should be on the lookout for phishing scams, but as penetration tester and security expert Georgia Weidman put it, “Detecting sophisticated phishing attacks is easier said than done”. By testing your knowledge of the full spectrum of phishing tactics out there — by seeing what you know…and what you don’t — you’ll be better equipped to deal with even the sneakiest of phishing attempts.
Time investment: Low — 10 to 20 minutes, depending on how fast you are and how many explanations you need to read through.
How to do it
Just click the link below to start the quiz! Wrong answers are marked as such, with a bit of explanation as to why they’re not correct. Full explanations are available at the end of the quiz, along with some feedback about how you did overall.
Good luck, and don’t forget to join us next week for our final Cybersecurity New Year’s Resolution of the year!
Phishing Awareness Quiz
Congratulations!
You scored %%SCORE%% out of %%TOTAL%%.
Your performance has been rated as %%RATING%%
Question 1 |
A | True Hint: False. It’s true that hackers have frequently tried to pass off executable files as image files by giving them names like “photo.jpg.exe”. But there is a far more sophisticated form of malware delivery that relies on “ordinary” image files. Click on the correct answer to learn about it. |
B | False Hint: Correct!That’s right. You should never download files from unknown sources — even seemingly ordinary photos. Image files such as .jpg or .png files are just collections of data, and bad actors have been known to insert malicious code in the midst of all that data: malware hiding in plain sight, as it were. This increasingly common practice has a name: steganography. This is why it’s important to only download attachments from trusted sources, even if the file in question appears to be an innocent image. |
Question 2 |
A | True Hint: Correct!That’s right! HTTPS simply means that the site in question is using a secure, encrypted protocol to transfer data between the server and your browser. This is definitely a good thing, as it helps prevent data tampering and digital snooping by third-parties, and lets you know that the site isn’t a fake version of the actual site you’re trying to visit. But HTTPS doesn’t provide any guarantees about the owners of the site, or their intentions. And if those site owners are malicious actors, then all you’re doing on their HTTPS site is securely transferring your personal data to bad guys, or downloading “authentic” malware! Unfortunately, hackers know that people have been trained to look for HTTPS as a sign of a secure site, and attempt to exploit this by creating HTTPS sites for their phishing attacks. In fact, research has found that over half of the links used in recent phishing attacks were HTTPS links. So don’t let that little padlock icon in your browser fool you: Just because it’s HTTPS doesn’t mean it’s safe! |
B | False Hint: The “S” in “HTTPS” does stand for “secure”, but HTTPS URLs can still be used in phishing attacks. Click on the correct answer for details. |
Question 3 |
A | Ignore the email since you can’t be completely sure it’s legitimate. Hint: Probably not a great idea, as you might be missing important information about your shipment. |
B | Click on the link and track your package, the risk is minimal. Hint: If you’ve done your due diligence and you’re confident that the email really comes from FedEx, this is acceptable. But it’s probably not the safest option. |
C | Call the FedEx customer service number provided in the email. Hint: This isn’t correct. If you’re not sure whether or not an email is legitimate, then you can’t trust any information it contains. Malicious actors set up fake phone numbers all the time in order to take advantage of people who call “customer service”. |
D | Navigate to the FedEx site by yourself and check it out. Hint: Correct!This is probably the safest way to handle emails like this. If you go to fedex.com, you can enter a tracking number manually or log in to your account area directly. You’ll be able to see any legitimate alerts there, and handle them yourself, without ever clicking on a link that came in an email. In general, this is a good habit to get into, whether you’re dealing with a shipping company, your bank, PayPal, or really anything else where there’s an existing account area you can log into or a case or tracking number you can look up. |
Question 4 |
A | True Hint: Incorrect. To find out why you can’t always trust believe in that “trusted” number, click on the correct answer. |
B | False Hint: Correct!Correct. This example is based on a real-life case of a scam which targeted iPhone users a few years back. Hackers are able to manipulate the number which shows up in your caller ID so that they appear to be calling from a legitimate or local number, even when they’re halfway around the world. This is known as “caller ID spoofing”. Even if you recognize a number, or if it appears to be from your area, there’s no guarantee that the call is actually originating from the number you see in your caller ID. Malicious actors will often know a surprising amount about their targets as well, and will use that information in order to gain their trust. But don’t be fooled: This is the kind of information which is often publicly available, or which is collected, traded, and sold by hackers after a data breach. Technical issues aside, organizations like Apple, banks, or the IRS will simply never contact you in this way: The call in and of itself is a red flag. If the person on the other end asks for account information, personal details, or passwords; or if they attempt to bully or scare you into cooperating by telling you you’re in danger or are facing criminal penalties, then you can be sure that you’re dealing with a scammer. Just hang up. |
Question 5 |
A | Yes Hint: Correct!That’s right. Even though the sender is “news” and the unsubscribe URL is “newsletter”, the company domain appears to be the same, which is what you should always be checking for. In an actual email (in other words, when you’re not taking an online quiz), it’s important to confirm the domain by looking at the original email header, since hackers will sometimes spoof the sender domain — meaning that the email header is the only place you’ll be able to see the sender’s real email address. It’s also important to pay careful attention to the spelling of the domain in question, since malicious actors will sometimes register similarly spelled domain names in the hopes of tricking unwary users: There could be a big difference between “starbucks.com” and “starrbucks.com”! The long string of characters after the link may look a little phishy, but it’s just a way for the company to track clicks so they can gather information on who unsubscribes from their mailing list. Plus, you know the sender and they have a reason to be sending you an email...even if you don’t want it. All in all, a pretty low-risk click. |
B | No Hint: You’re a cautious one! But this link should be reasonably safe. We’re usually pretty wary of weird-looking links, but this one has several signs that point to its legitimacy. Click on the correct answer to find out what those are. |
Question 6 |
A | True Hint: Actually, there’s a lot of evidence to indicate that this is false. To find out why, click the correct answer. |
B | False Hint: Correct!Correct. According to government and industry research groups, there are periodic spikes in phishing attacks, most notably around the holiday shopping season. This is because people are online more often during this time of year, and legitimate companies are sending out lots of marketing emails with links, coupons, and special offers, making it easier for a malicious actor’s phishing link to slip through unnoticed amidst all the other emails. That’s why it pays to be extra cautious around the holidays. It’s also a good idea to be especially vigilant, even skeptical, any time there is a news story about a large company suffering a data breach. Criminals know that people have probably heard about the breach, and they use this fact against their targets. For example, when the credit bureau Equifax suffered a major data breach, it made headlines — but this in turn generated phishing scams designed to take advantage of the situation, with bad actors attempting to impersonate Equifax employees in an attempt to steal personal data and account information. So if you’ve read about Company X having some widely publicized security issue, be on your guard if you receive an email from someone claiming to be with that company. |
Question 7 |
A | Yes Hint: No, it isn’t. Hover over the link in the question with your mouse or click on the correct answer to find out why. |
B | No Hint: Correct!That’s correct. As you probably noticed, the text of the link contains a legitimate PayPal URL, but the actual destination is an illegitimate (but very similar) URL: “pay-pal.com”. Always hover over a link with your mouse to see where it really goes, and watch out for lookalike URLs, which are a common tactic used in phishing emails. This can get very, very tricky — with scammers even taking advantage of the visual similarities between letters in Roman and non-Roman alphabets to create domains that look completely legitimate, but are actually malicious. Browser manufacturers have taken steps to combat this, but it’s worth a mention simply because it underscores the lengths to which hackers will go in order to create a convincing scam! |
Question 8 |
A | Malicious attachments and links in emails. Hint: This is the one we’ve all heard about, and is the focus of most security training...but alas, it’s not the only method used by hackers. |
B | Links on social media sites like Facebook and Twitter Hint: If it links somewhere, it can be malicious. But there’s more than one way to go phishing! |
C | QR codes and SMS messages Hint: Most people don’t realize that it’s possible to conduct phishing attacks this way, so good work...but the bad news is that there are even more ways for bad actors to phish their victims. |
D | Telephone calls Hint: Some phishing scams are conducted via telephone. But there are plenty more tricks up the hackers’ sleeves. |
E | A&B Hint: These are probably the most common forms of phishing — but far from the only ones. |
F | All of the above Hint: Correct!That’s right. Hackers use all of these as phishing techniques. Anything that contains a link is a potential phishing attack, so it pays to always be careful when clicking on a link, and not only when dealing with links you’ve received in an email, but also those coming through social media, QR codes, or SMS messages. If you don’t know and trust the sender, beware — and always try to figure out where the link is trying to take you to make sure it’s a legitimate site. Similarly, if someone calls you saying they’re from your bank, Apple Support, or the IRS, don’t just take them at their word: There have been many instances of “phone phishing” in which unwary marks have given personal information and account details to malicious actors. |
← | → |
