Security

10 tips for spotting a phishing email

Phishing emails insinuate themselves into inboxes year-round, but the holidays bring out a rash of new scams. Help your users spot "fishy" emails.

6_secure_email_iStock.jpg
 Every day countless phishing emails are sent to unsuspecting victims all over the world. While some of these messages are so outlandish that they are obvious frauds, others can be a bit more convincing. So how do you tell the difference between a phishing message and a legitimate message? Unfortunately, there is no one single technique that works in every situation, but there are a number of different things that you can look for. This article lists ten.

1. The message contains a mismatched URL

One of the first things that I recommend checking in a suspicious email message is the integrity of any embedded URLs. Often times the URL in a phishing message will appear to be perfectly valid. However, if you hover your mouse over top of the URL, you will see the actual hyperlinked address (at least that’s how it works in Outlook). If the hyperlinked address is different from the address that is displayed. then the message is probably fraudulent or malicious.

2. URLs contain a misleading domain name

Often times people that launch phishing scams depend on their victims not knowing how the DNS naming structure for domains works. It is the last part of a domain name that is the most telling. For example, the domain name info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right hand side). Conversely, brienposey.com.maliciousdomai.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name, not the right.

I have seen this trick used countless times by phishing artists as a way of trying to convince victims that a message came from a company like Microsoft or Apple. The phishing artist simply creates a child domain bearing the name Microsoft, Apple, or whatever. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com.

3. The message contains poor spelling and grammar

Whenever a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling, grammar, legality, and a number of other things. As such, if a message is filled with poor grammar or spelling mistakes it probably didn’t come from a major corporation’s legal department.

To give you a rather amusing example, I received an email message a few weeks ago that was supposedly from one of the large real estate companies. However, the body of the email merely said, “Me buy house fast”. Obviously, that email was not legit.

I’ll concede that this particular message was more of a spam than a phishing message, but the same basic principle applies to phishing emails as well.

4. The message asks for personal information

No matter how official an email message might look, it is always a bad sign if the message asks for personal information. Your bank doesn’t need you to send them your account number. They already know what it is. Similarly, a reputable company should never send an email asking for your password, credit card number, or the answer to a security question.

5. The offer seems too good to be true

There is an old saying that if something seems too good to be true, it probably is. That saying holds especially true for email messages. If you receive a message from someone unknown to you who is making big promises, then the message is probably a scam. After all, why would a Nigerian prince that you have never heard of contact you to help him smuggle money out of his country?

6. You didn’t initiate the action

Just yesterday I received an email message informing me that I had won the lottery!!!! The only problem is that I never bought a lottery ticket. If you get a message informing you that you have won a contest that you did not enter then you can bet that the message is a scam.

7. You are asked to send money to cover expenses

One telltale sign of a phishing E-mail is that you will eventually be asked for money. You might not get hit up for cash in the initial message, but sooner or later a phishing artist will likely ask for money to cover expenses, taxes, fees, or something like that. If that happens, then you can bet that it’s a scam.

8. The message makes unrealistic threats

Although most of the phishing scams seem to try to trick people into giving up cash or sensitive information by promising the victim instant riches, other phishing artists try to use intimidation to scare the victim into giving up information. If a message makes unrealistic threats then the message is probably a scam. Let me give you an example.

About ten years ago, I received a very official looking letter that was allegedly from US Bank. Everything in the letter seemed completely legit except for one thing. The letter said that my account had been compromised and that if I did not submit a form (which asked for my account number) along with two forms of picture ID then my account would be canceled and my assets seized.

I’m not a lawyer, but I’m pretty sure that it’s illegal for a bank to close your account and seize your assets simply because you didn’t respond to an email message.

The amusing part however, was that the only account that I had with US Bank was a car lease. There were no deposits to seize because I did not have a checking or savings account with the bank.

9. The message appears to be from a government agency

Phishing artists who want to use intimidation don’t always pose as a bank. Sometimes phishing artists will send messages claiming to have come from a law enforcement agency, the IRS, the FBI, or just about anything else that could scare the average law abiding citizen.

I can’t tell you how government agencies work outside of the United States. In America however, government agencies do not normally use email as the initial point of contact. That isn’t to say that law enforcement and other government agencies do not use email – they do. However, law enforcement agencies follow certain protocols. They do not engage in email-based extortion (at least that hasn’t been my experience).

10. Something just doesn’t look right

In Las Vegas casino security teams are taught to look for anything that JDLR (as they call it). The idea is that if something just doesn’t look right, then there is probably a good reason why. This same principle almost always applies to email messages. If you receive a message that seems suspicious then it is usually in your best interest to avoid acting on the message.

34 comments
samaira_rogers
samaira_rogers

Although, email scam is one of the most common way of phising attack but there are some other techniques through which phishers approach innocent victims like smishing, spear phishing etc.

Smishing is similar to phishing (http://tinyurl.com/qj5x3tq) only the difference is that,  instead of sending fraudulent emails, phishers tries to get your personal credentials like bank details,  credit card details etc by means of spam calls or messages. 


finn_roy
finn_roy

Phishing is a fraudulent event to snoop users personal or private information. Be aware of such kind of scams, they seem to be legitimate at first glance, but end up revealing all your financial information.

Gisabun
Gisabun

Phishers tend to send you a message addressing you using the first part of your Email address [i.e."Dear jsmith" when your address is jsmith@whateverdomain.copm].

I've also seen sloppy message formatting [not talking about typos].

Also seen them saying you'll receive $6.5m instead of $6.5 million or $6.5 - forgetting to add "million" - wow $6.50!!!

Finally sometimes they are also out of touch. For example using a company logo from a couple of years ago.

Oh ya. How did a bank/company you never dealt with want to give you money?

kfilius
kfilius

How about receiving an SMS message stating that my phone number has been drawn in a lottery.

TreePapa
TreePapa

If it looks like a duck, walks like a duck, and quacks like a duck, it's a duck.


Just another way of saying just doesn't look right, but most spam and phish e.mails are so easy for a critical observer to spot, it is amazing anyone really falls for them.

57thCork
57thCork

Hi Brian. A method used by phishers to appear to bypass the url format is to start with their real url followed by a forward slash (/) and then a legit url such as PayPal.com . This appears to look legit, but the / only references a page on the phishers web site.

Snak
Snak

Vsandor has added one sign that really should be in the list, and actually quite high up that list. Any email from a company you deal with starting 'Dear Customer' is either spam or a phish.


agrajag
agrajag

#12....the sender is called Rod  :-)

firstaborean
firstaborean

Another aspect of this is that some spam, including phishing spam, contains hidden links, as in one-pixel graphics.  Users need to be trained to view E-mail of which they have any degree of uncertainty in "View Source" mode, so that no links are made to work, no malware operates, and everything can be seen, including the very-important header content.  All too many users keep the preview pane open, which virtually ensures that any malign content becomes active.

info
info

Hopefully the phishers won't read this article. Then they'll know what to fix! ;)

jemorris
jemorris

Brien, could you put this into a downloadable PDF format? It covers the most common issues we see everyday. Most of my users are wary of some of these things but a hand-out in every day language would be a plus.

Another thing we're starting to see are targeted phishing attempts and a drop off of the generic mass mailed types. I've also been keeping diligent in training the SPAM filter to better catch the generic type. I'm seeing less of these in the filter itself.

falasi4
falasi4

Don't rely on the links in emails to take you to a site that you normally go to by typing it in/favorites list.

if unsure the site is legit, try logging on with bogus login info/password and if you get logged on the site is a scam and collecting login/password for them to use in some way on the real site.

majikthorne
majikthorne

I get Phishing e-mails all the time allegedly from my bank saying something like "your account has been compromised and locked, in order to unlock your account log in with the link provided and input your user name and password and then follow the prompts to change your log in information" I don't do this but what I do is forward this e-mail to my banks anti abuse e-mail addy so they can do the magic they do with it. Credit card companies and banks, pay pal, lawyers, your ISP, the phone company, etc... will NOT ask you vital info in an e-mail, they will send you a letter. The same applies from people you don't know wanting to send you money from their dead client in some foreign country, and needing your account and routing number so they can deposit the money in your account via a wire transfer. It's just common sense people. There are NO Russian or Polish girls wanting to meet you, there is no magic pill that will make women crave your sex or make your penis bigger. The United states postal Service , Fed Ex, UPS, or any other carrier of packages and mail will not send you an e-mail to let you know your package is ready for pick up, if you asked for tracking when someone ships something to you , you will be provided with a tracking number and will have to log into the shippers site and input that number to get info on the packages whereabouts. If they try to deliver something that requires a signature and your not home,  they will stick a little form in your mail box or front door saying something like " Sorry we missed you" All we need to do to protect ourselves is Wake Up and Stay Frosty.

jlc_918
jlc_918

I read an article recently about a man who received an email that said he had to pay a fine because he had been caught looking at child pornography. Instead of clicking the link in the email, he brought his computer to the local police department and they arrested him.

sparent
sparent

I was prey to an interesting phone phishing expedition. This gentleman with a really heavy accent tells me he is from my ISP (he did get the right company). He then proceeds to tell me that all my home computers are infected with a virus. He wants to tell me exactly what I should do to fix the problem.

Needless to say, he did not stay on the phone when I started asking him the name of the virus, how he know about the infection, etc.

vsandor
vsandor

Generally speaking, a legit e-mail should address you by name, especially if it comes form a source with which you do business. When you get mails from PayPal or any bank saying "Dear valued customer" or words to that effect, you can be fairly sure it's phishing.

grh
grh

Latest scam seems to be Amazon/parcel carriers. Your Amazon order has....

This is especially dangerous at this time of year because many people have ordered from Amazon.

They are getting much more convincing too and rely on people being in a hurry to see what has happened to their order.

newcreationxavier
newcreationxavier

There is one I noticed. I got an email from my email. I was like "what?" Then I read through the email. It wasn't nice. I didn't send me no mail. And it is Gmail by the way. I figured okay, account compromised, time to seize it back. I changed my password. Two days after I got another email from myself. I got really upset now. So I changed my password to something more complicated. The following day I still got an email from myself. I was really upset and if Thor, DoomsDay and the Silver Surfer had showed up, I'd have knocked 'em all out cold, buried, dead plus a remembrance anniversary. Lol.

I calmed down and said to myself, "Jimmy, you are the guru here, think!” And voila, I got it. All that was required was a simple mistake of clicking anything or replying. I did neither. I thought of the longest rap song in the world, threw in some complications, and that became my password. No dictionary attack can crack a complicated rap song. #InYourFacePhisers!!

witkovsm
witkovsm

These are great tips.  However, does anyone have any suggestions for me?  Where I work, we routinely deprovision thousands of computer accounts each year because the individuals are no longer entitled to them.  As a courtesy, we send an email warning them that their account will be deleted in 2 weeks.  There are no URLs in the message and the from address is our Help Desk (not a bogus address).  However, every year there are a percentage of people who think the message is spam/phishing.  Anyone have any suggestions on crafting a better email or a different method of communication?  


Thanks,

mandi

whitehound
whitehound

There's recently been a very clever phishing scam operating over the 'phone here in the UK.  The phishers claim to be from your bank, asking for personal details, and they tell you that just so you can be certain that they're for real they'll go off the 'phone while you call your bank to check.  Then they make a disconnection noise and make it sound as if the line is clear and you call your bank and it all sounds kosher, but in fact thay haven't actually broken the connection, only played breaking-connection noises, and when you think you've dialed your bank you're really just speaking to another member of the same gang.

The solution is to put the 'phone down and then call somebody who can't be imitated, such as the speaking clock or a friend of yours, before calling the bank, to make sure the line really is clear.

whitehound
whitehound

In Outlook Express when you hover the mouse over a suspect URL the true URL appears on the bar at the bottom - but some phishers have been known to introduce spaces into an URL to push the suspect, right-hand portion right off the edge of the bar where you can't see it.  If in doubt you can hit Reply (but not Send!) and then go onto the Source tab and look at the HTML code where you'll be sure of seeing the URL in full.

george.gordon
george.gordon

If the email has a Zip-file attachment, be immediately suspicious.

fbibiz
fbibiz

What I have found that is a dead giveaway that it is a scam, is the To: Field.  The email is supposed to be to you and about your account.  They are going to close it or do something if you don't respond which seems to indicate that it is a personal email.  However, the To: field says "undisclosed recipients".  That pretty much says they are sending the "personal" email to any number of people.  I think a legitimate operation would at least have your name if it was so important.

jevans4949
jevans4949

Another tip: if you get a plausible email purporting to be from a bank you DO have dealings with, which has a "click here" link, don't click there, log on through your normal route. If the bank does have a problem with your account, it should pop up there.

glwright1262
glwright1262

#11 The email asks you to open some attachment

jevans4949
jevans4949

@firstaborean Few users will have the time or inclination to plough through the source-code version of an email. Easier to teach them to just delete it, following the rules above.

However, I do agree that the preview pane should be disabled - preferably completely.

stevenpritikin
stevenpritikin

@jemorris One of the things that is often used to plant viruses or worms are unpatched security holes in Adobe PDF. Many of us don't keep up with the latest and greatest especially because it can cost money. You'd be better off getting it in a text file.

spriti1

vsandor
vsandor

@sparent  Reminds me of a funny story: during last summer, I helped a friend set up her new connection and computer on the (rather remote and serene) Greek island of Alonissos. 2 days later, she got a phone call from someone claiming to be from the 'Microsoft security center' (lol) giving her instructions about how to fix a virus problem. She didn't take the bait and he hung up after being asked the obvious questions. We changed her passwords with the ISP just to be sure :)

the edidas
the edidas

@newcreationxavier all those emails most probably did not come from your actual email account, your email account was use as a sender address only and to do that, the spammers won't need access to your email account

info
info

@newcreationxavier But it takes over 2 minutes to type! Unless you can type as fast as you can rap... ;)

vsandor
vsandor

@witkovsm I think it would help to begin the message by clearly defining the recipient: "Dear Mr./Ms. [Client's full name and account number]", if you don't do it that way already :)

info
info

@witkovsm You'll never get away from this entirely. That's the huge downside of socially engineered attacks. Non-computer savvy users become wary and suspicious of everything they get sent. My users get phishing attacks from 'xerox@mydomain.com' which they're tempted to click on because we do send scans directly from our Xerox devices. They aren't ZIP files, though. Shows how easy it is for your Email addresses to be spoofed. On the bright side, I'd rather have my users too suspicious, then all too willing to click on/open something in blind faith... 

georgetracey
georgetracey

Alternatively use a mobile to call the bank.