How to Spot a Phishing Email—A Survivor’s Guide

Phishing is a pretty dumb crime, at least in terms of the smarts it takes to execute. Unfortunately, it can be substantially lucrative for the criminal and costly for the victim, whether they’re an individual or a business. Knowing how to spot the fraudsters is key to avoid getting caught in the phishing net.

Scattergun distribution of hundreds of thousands of scam emails is neither difficult nor expensive. The recipient list can be random, usually purchased through the Dark Web and often as part of an off-the-shelf exploit kit that can include botnet resource time and malware payloads all wrapped up in one handy package. This has become so cheap now that it only takes a handful of recipients to click through and the criminal is in profit.

Not All Phishing Emails Are the Same

It’s easy and wrong, however, to think that all phishing emails are untargeted. Spear phishing is on the rise, with the focus on fewer and better researched targets that can return a better profit if they take the bait. That bait is changing as well; you can’t rely on all social engineers pretending to be your bank or a courier company any more.

The 2017 Webroot Threat Report revealed that for every new phishing URL impersonating a financial institution, there are seven pretending to be tech companies. One kind of tech outfit is well-positioned to mitigate the phishing threat, and that’s the managed service provider (MSP). Of course, that does entail the MSP understanding the threat and being able to recognize a phishing email when he or she sees one.

The trouble is that there isn’t a single template used by all phishers, and emails can vary from simplistic and full of spelling errors to realistic clones of official correspondence—right down to deceptive logos and the language used. Which isn’t to say that there still won’t be visual clues for savvy users.

Check the Email Address of the Sender

Checking for spoofing is a simple and obvious practice. Many scammers will use a “from” address that is as close as possible to the real thing, to keep up the believable pretense. Hover your mouse over the sender’s name, and most email clients will reveal the true address behind it. Also check the “reply-to” field in the email header if you have any doubts. A spoofed “from” header may fool you, but if the scammer is phishing for a reply by email, there has to be somewhere else for it to go for them to receive it.

The same “be suspicious” advice applies for any links within an email. Apart from the obvious “do not click the things unless you are 101% sure of their provenance” mantra, don’t get fooled by clever sleights of hand. This can take the form of URL encoding whereby the true link destination can be concealed, or the less suspicious and more successful use of ‘nearly right’ domains such as apple-service.com, which sounds right but obviously isn’t when you think about it (appleinfo.com isn’t the same as apple.com and nor is apple.security.com).

Check Any In-Email Links Before Clicking

Thinking about it is always good advice for spotting a fraud; take a minute to process what you are reading rather than going for the knee-jerk acceptance reaction. There are even link checkers out there, such as URL Void,  that will run any address through a series of reputation services and blacklists to see if it’s used by scammers. The easiest method of them all, though, is simply contacting the organization concerned using your normal method via the web browser versus the email link.

If you are still not sure, a quick WHOIS lookup using Google^® will help reveal a fake domain and sender. The same is true when it comes to the supposed identity of the sender; Google is great for discovering whether John X is actually the Finance Director of Company Y, for example.

Are the Certificates Safe?

Clever criminals will use a homograph approach to address spoofing. These take advantage of languages such as those employing glyphs in the Armenian, Chinese, Cyrillic, Greek, Hebrew, and Latin alphabets that closely resemble western characters. These can be combined to register domains that are the equivalent of a well-known brand, and the additional purchase of a SSL certificate will give it additional authority. The simplest way to check is to check the certificate details as the original domain and not the lookalike one.

They may still say that content is king on the web, but sometimes it can also be a princely way to spot an email faker. Most genuine companies, and all that understand customer privacy issues, will never ask for personal information such as insurance, bank account, PIN codes, or credit card numbers by email. Any that do should be treated with utmost caution and, again, the organisation should be contacted directly using your normal means of communication rather than by replying to the suspect email.

Genuine and Official Tends to Mean it’s Not

Although most fraudsters have evolved past the spelling errors and poor grammar or obvious language translation stage by now, one thing they often still don’t get right is language detail. Ask yourself how many times an organization has ever contacted you and stated that it was an official or genuine communication? Never would be my guess, yet many phishing emails still try too hard to convince by throwing “official” into the title or text as if that is all it takes.

Finally, remember that it’s not just email that is used as the lure to get you to visit a fraudulent website where your login details can be scraped or a malware payload downloaded. Increasingly, social media accounts are also weaponized in this way. Always make sure you are dealing with a verified account on Twitter^®, as unverified accounts are easy enough to set up and can con plenty before being closed down.

There is no technology that can absolutely guarantee phishing emails won’t reach your business, unfortunately. However, SolarWinds mail system uses a combination of antivirus and antispam technology, along with real-time pattern-based threat recognition technology, to check every email in all directions. That’s a good start, but to be most effective, the tech has to come as part of a package that includes staff awareness training, so everyone knows precisely what a phishing email looks like.

Davey has been writing about IT security for more than two decades, and is a three-time winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious ‘Enigma’ award for his ‘lifetime contribution’ to information security journalism in 2011.  You can follow Davey on Twitter at @happygeek