You have to hand it to those hackers. If there’s a way to trick you with a phishing email, they’ll figure it out. One of the best ways hackers try to trick you with a phishing email is to take advantage of the way web pages are rendered.
Web pages use HTML (hypertext markup language) and CSS (cascading style sheets) to display web pages on your computer and your mobile phone. These technologies are well-understood and have been around for a long time. One of the things that makes these technologies so powerful is how flexible they are.
The flexibility in these technologies allows them to do many things including giving webpages depth using the Z-index property in CSS and accommodating languages that can be read in both directions. Unfortunately, this flexibility can also be used to phish you.
First, they came up with invisible links to phish you. Here they replace a malicious link with a graphical element like hair or speck of dust. When you go to wipe it off your screen, you end up launching a phishing attack.
Next, it was invisible characters. With this technique, hackers add invisible letters to words that you don’t see but the spam filters do. Since the spam filters see the fake words, they appear to be legitimate and pass right through to you where you unsuspectingly click on a malicious link composed of the visible letters.
Well, the hackers have done it again, taking advantage of the way HTML/CSS renders web pages to sneak phishing emails by security filters and right into your inbox. According to Dark Reading, this new attack, called the text direction deception, is “a tactic where an attacker forces an HTML rendering engine to correctly display text that has been deliberately entered backward in the code — for example, getting text that exists in HTML code as “563 eciffO” to render forward correctly as “Office 365.”
“Office 365” is a big trigger word for security filters. It’s unlikely an email containing that would get by. But an email containing “563 eciffO” slips right by because the filters aren’t trained to look for that. But, when it renders, it displays as Office 365 for humans, which is the ideal starting point for crafting a phishing email.
The email you see in your inbox is not always the way it was crafted. That’s why it’s almost impossible for humans to protect themselves from phishing emails, no matter how much awareness training they have. There are just too many tactics available to scammers to trick humans and even most security filters. But, there is one technology that doesn’t fall for any of these phishing tactics: cloud-based Phishing Protection like that available from DuoCircle.
The truth is, if Phishing Protection looked at the HTML/CSS the same way humans do, it would get tricked just as easily, but it doesn’t. In fact, it doesn’t look at the HTML/CSS at all. It only looks at the website the link in the email points to. And if the link points to a malicious website, it doesn’t care one bit about what the rest of the email contains. It knows it’s a phishing email and it keeps it out of your inbox so that you never even see the hacker’s handiwork.
The only way you’ll ever really protect yourself from these clever hackers is to utilize technology that doesn’t fall for any of their tricks. Technology like Phishing Protection.
Check out Phishing Protection. It works with all major email providers, sets up in 10 minutes and only costs pennies per month per user. Try it risk free for 30 days. Don’t let the hackers win.