How to Spot an E-Mail Phishing Attack

Phishing illustration

It’s something that happens to everyone: you’re checking your e-mail and a message catches your eye. It says it’s urgent and it seems to come from a company or person you think you know, so you open the message. It tells you there’s a problem with your account and to use a link provided in the message to fix the problem. If you click it, it goes to a page that looks right, but how can you really be sure? How do you tell which e-mails are safe and legitimate from the ones that are looking to steal your information or, worse, money? This post will examine some common phishing attempts and show you how to spot the fraud and avoid falling victim to their phishing traps.

What Is Phishing?

Phishing is a concept we talked about on the blog as part of our discussion on How Your Social Media Accounts Make Identity Theft Easier (Part 1). As defined by phishing.org:

Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.

(Phishing.org, 2020)

Successful phishing attacks can have significant impacts on individuals and organizations if sensitive account or financial information is stolen. Cybercriminals can use this information to make purchases, leverage credit lines, or gain access to other people or organizations. Fortunately, protecting yourself against phishing attacks isn’t difficult, it requires awareness, vigilance, and a fundamental understanding of how to identify phishing attempts. In the next section, we will look at an actual phishing e-mail and talk about how you can tell it or any other phishing message, is illegitimate and unsafe.

A Real World Example

Before we look at a real world example of a phishing message, let’s learn a little more about the structure of an e-mail address.

Button Up Explains: E-mail Addresses

Let’s look at an actual phishing e-mail I received. The author of this message wants you to think it came from Facebook, but there are some clear signs that this message isn’t what it seems. We will look at each major component of the e-mail and discuss what about it increases the likelihood that the message is fraudulent so you know what to look for in your own inbox.

Something’s phishy here

There are plenty of things about this e-mail that make it seem, well, phishy, but let’s walk through them together.

It’s in the spam folder. First and foremost, that giant gray bar is GMail’s way of telling us this message was automatically filtered into the Spam folder. GMail’s algorithms pick up on patterns among GMail users and their computers identified patterns in this message that are consistent with other spam mailings. This is the first and most important indication that you may not be able to trust the message, but one piece of evidence is never enough, so let’s keep digging.

The subject line. It’s unusual for customer service agents to provide you with information you don’t need or can’t confirm. The subject line references “user ID: #6490593,” which does not make sense, since you don’t sign into Facebook’s website with that number. When you sign into Facebook, you use an e-mail address, so we have no reason to think that ID has anything to do with your actual account and, of course, it doesn’t.

Content problems. Note the missing Facebook logo circled in red. Under most circumstances, official emails from companies should not be missing content. Note the text highlighted in blue. The body of the message contains typographical errors: extra periods (“it is you..”) and extra spaces between words and punctuation (“Thank you ,”). These are mistakes you should not expect in a legitimate, professional message and they point toward the possibility that the e-mail is part of a phishing scam.

Sender Address. Before we dive into this, we need to remember something important: the name of the sender can be configured by the sender. The name you see there isn’t, in any way at all, a guarantee of who the message is from. In your own preferred e-mail client, right now, you could change your name to anything at all, so never trust an e-mail because the name matches something or someone you trust. Regardless of the name, the sending e-mail address should be something trustworthy and, in this case, we not only have no reason to trust the sender address, the domain is obviously not legitimate.

Strange Sender Information. In addition to the visible sender address, you can get more information about the sender by looking at key parts of the e-mail header, which contains a lot of technical information about the origin of the message and how it arrived in your inbox. In web mail products like GMail, you can get a quick peek at header information by clicking the drop down icon near the sender address (see the red circle in the image below).

Expanded sender information: Part I

When we open the expanded sender information, we can easily see that the Reply-To field has a very large number of entries pointing to a variety of domains that don’t appear to be related to Facebook. This can help shine light on a fraudulent message if the sender address itself is not clear: legitimate businesses do not do this. If you see a large number of items in this field, it’s wise not to trust the message. More importantly, if you were to scroll past the Reply-To addresses on that screen, you would see additional technical information:

Expanded sender information: Part II

From this screen, we can see that the “Mailed-By” field contains an unusual entry: legitimate vendors should not send messages where the mailed-by address contains IP addresses, strange words or phrases, or excessively long domains that are inconsistent with the organization the message claims to represent. In this case, we may not know who “dhorj——–.static.74.95.69.159.clients.your-server.de” is, but we can be certain that it’s not Facebook, so we shouldn’t trust it.

Weird Links. Finally, links in messages that go to unexpected places are a clear sign that the message is fraudulent. In the message we have reviewed here, there were several buttons and links throughout the e-mail that pointed to suspicious URLs. If you hover over a link or, in some cases, other buttons or graphics, you should see the link URL at the bottom of your browser window (see the image below, highlighting the URL from the “unsubscribe” link). In this e-mail, claiming to be from Facebook, we should expect that all links in the message go directly back to a Facebook.com domain, but they don’t, so we know this e-mail was not a true message from Facebook and, therefore, we should not respond to it.

Hover over links to preview the URL

Looking Ahead

Now that you know what to look for, if you regularly inspect unexpected or unusual e-mails, you may be less likely to fall victim to a phishing attack. Pay attention to the sender address, their domain and top level domain, look for grammatical or punctuation errors, and inspect links or buttons before you click them. Together, these habits will help keep you safe for those instances where the spam filter misses a dangerous message or when reviewing the messages in your spam folder.

As always, if you have questions or thoughts, feel free to drop me a line on social media at Facebook or Twitter.

Share Your Thoughts:

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑