Tips for Spotting a Phishing Email

Cross posted from http://www.securit360.com/blog where I am a regular author.

Every day users are targeted with phishing emails from all around the world.  These emails can range from overtly “spammy” and easy to detect, to quite sophisticated an difficult to notice.  We have found that this is typically the least defended position in an organization, as well as one of the easiest to exploit.  Even organizations with millions of dollars worth of network security equipment can be vulnerable if even a single user clicks on a malicious link.  Here are some tips and tricks for spotting phishing emails:

Do You Know the Sender?

There are two parts of an email that make the ‘sender’ portion of an email, the “From” field and the “Reply-To” address.  The “From” field identifies the name of person who sent the email.  This field can easily be spoofed.  The “Reply-To” address is the email address that will receive an email if you reply to it.  This cannot be spoofed; therefore, what you see is who you will send the email to.  For example, the following headers show the “From” and “Reply-To” fields in this phishing email: phish-headers Outlook displays the following information:phish-outlook If an email purports to be from a well known brand or company, but the actual email address does not appear to be one that would come from that company (USPS <info (at) mg-ap.com>) then the email should be deleted.

Is This Something You Expected?

Let’s say you received an email from UPS stating that a package was undeliverable.  Ask yourself, were you expecting a package, or did you order anything?  More often than not, the justification for receiving a phishing email simply wont make sense.  Another type of a phishing email could claim to be from a financial institution.  Perhaps the email couple appear to be from a bank, or it might request account, or credit card information.  You should ask yourself, “do you actually have an account with this bank?”  If not, it is probably a phishing scam, and should be deleted.  If emails such as these contain very specific information about you, or believe that you may have inadvertently been compromised, you should check your credit report and make sure no new accounts have been opened in your name.

Did Your Systems Flag This as Suspicious?

phish2 Many times email clients do a pretty good job of recognizing spam.  More often than not, you should trust the email client’s recommendations, and delete these messages.  As you can see in the photo above, Outlook recognized this email as spam and moved it to the junk mail folder.  This automatically prevents images from being downloaded, and blocks any links that may be in the email.

Are There Grammar Mistakes?

Emails from large corporations will go through rigorous proofs and checks for grammar.  This does not mean that they will never have mistakes, however, mistakes are usually unlikely, and very few in number. Our courier couldnt make the delivery of parcel to you at 20th April. Notice in the above example that there is no apostrophe in “couldn’t” and the word “the” is missing before “parcel”.  These errors are dead giveaways.  Additionally, the US is one of the only countries in the world that uses the MMDDYYYY format for dates.  This email used DDMM format which is common throughout the rest of the world.  This wouldn’t have come from the USPS.

Is a File Attached?

Many phishing emails will attempt to have the user open malicious files.  Most email systems will block file with executable program extensions (such as .exe or .bat) however, there are many known vulnerabilities in other well known file types, such as Adobe.  They could also try to mask malicious files within a ZIP file.  Flags should be raised any time an unexpected email is received with attachments, especially if the email matches any other of the signs listed in this article.

Does The Email Ask for Personal Information?

Financial institutions will never ask for personal information in an email.  They will also never ask for a password at any time, whether via email or on the phone.  Most phishing emails will attempt to glean some sort of personal information, whether its as simple as trying to get a user to respond to an email simply to determine whether or not that email is valid, to asking for usernames and passwords, or banking information.  Sometimes an attacker will ask for the information directly in the email, but most will link to a separate file or web page which will ask a user for information.  Guard this information well.

Are There Links In The Email?

Before ever clicking a link in any email from anyone, first hover over the link to see if the link in the ToolTip matches the link you see and to make sure the URL is something you recognize.  If it is not a .com URL, then I would be highly suspicious.  The email below says it is from USPS, however, look at the URL when we hover over the link:phish-url   Checking URLs in an email should become second nature, otherwise, you will eventually click a malicious link.  Another item of note is that, even if you recognize the URL, any URL that ends in .php should automatically require extra scrutiny.

Conclusion

Once you learn what typical physical emails are comprised of, your ability to spot one will significantly improve.  Phishers can become sophisticated when they are specifically targeting individuals or organizations.  These take a great deal of acumen to spot.  However, these typically follow the 80/20 rule.  You spend 20% of your effort to spot over 80% of phishing emails.  According to Symantec, 1 in 392 emails contain a phishing attacks.  They are not uncommon, and if successful, can be very dangerous.  Stay vigilant.

Leave a Reply

Your email address will not be published. Required fields are marked *

*