As phishing emails come in different shapes and formats, there is no silver bullet to identify a phishing email. However, there is a collection of red flags you should be looking for before clicking on a new message. Here is our up-to-date guide to help you recognise the latest email-based scams.
What is phishing? Phishing is a cyber-attack typically carried out over email. In a nutshell, cybercriminals aim to trick their victims into clicking a link or attachment, giving their password away or asking for money by pretending to be a legitimate online service, client, supplier, friend or colleague.
Strong indicators that an email might be deceptive
Although other clues are available, the following indicators are the main methods of deciding whether an email is genuine or not:
- Sender Policy Framework (SPF)ย violations
- The senderโs display name and/or email address is spoofed
- The IP address of the sending SMTP server does not belong to the senderโs organisation
- The clickable web links does not take to a trusted domain
- The email features an unsolicited file attachment
#1. Sender Framework Policy (SPF) violations
If the senderโs domain name specifies the allowed SMTP hosts in an SPF record and the receiving email server supports SPF lookups, your email server will flag emails violating the SPF policy. Typically, these emails are either rejected or moved automatically into your spam folder.
Theย adoption rate of SPF records is around 50%ย according to a 2016 report. However, poorly configured email hosting providers may keep these emails in your Inbox.
To find out whether a suspicious email has violated the SPF policy,ย view the message headersย and look for theย Received-SPF
ย header. If the status is โfailโ, the email might be a phishing attempt.
#2. Sender name and/or email address spoofing
There areย two common sender spoofing methodsย cybercriminals use. For illustrative purposes, let us say the person we wish to impersonate isย Peter File
, and his email address isย peter.file@brasseye.com
:
- Email Address Spoofing: Peterโs email address and his name are both spoofed on an incoming email so that the sender appears to be:ย
Peter File <peter.file@brasseye.com>
. - Display Name Spoofing: Only Peterโs name is spoofed, but not the email address:ย
Peter File <chrism1337@gmail.com>
.
To verify the sender of an email, you simply need to observe the senderโs name and email address in your email client. Both the sender’s name and the email address should be displayed by default. On the other hand, smartphones may not display the senderโs email address. In this case, you can reveal the underlying address by tap-holding on the senderโs name.
Email address spoofing (method #1) has become more difficult for cybercriminals because of SFP. If you see an email from a name and email address you know end up in your spam, you should leave it there, chances are it has failed SPF validation and been moved there on purpose.
#3. The sending IP address does not belong to the sending organisation
Another indicator of a phishing email is the sending IP address (or hostname) of the sending SMTP email server.
If the email is sent fromย peter.file@brasseye.com
, it is safe to assume that the sending SMTP server is closely associated with the sending organisation (e.g.ย smtp01.brasseye.com
), or a reputable email hosting providers such as Office 365 or G Suite. In case the email is sent from IP addresses or hostnames associated with unrelated countries and organisations, the email might be not genuine.
You can look up the sending SMTP serverโs IP address and hostname (as well as many other properties) with the combination ofย MX Toolbox Email Header Analyzerย and a service such asย ipinfo.io. If you use Microsoft Outlook, there is a handy utility calledย Message Header Analyzerย which can show you this information too.
#4. Clickable links lead to unknown or unrelated domains
Embedded web links in emails may lead to deceptive websites hosting fake login pages or web browser exploits. It is crucial to inspect a web link before clicking by either hovering over them (on a desktop computer), or tap-holding on it with a smartphone.
If the email is seemingly coming from a trusted provider like PayPal, the web link should be pointing to a domain name associated with the domain.
Sadly, big companies tend to register confusing domain variants of their brands. For example,ย support@paypal-techsupport[.]comย is a legitimate email address belonging to the PayPal Merchant Tech Support team. Other domains likeย paypal-knowledge[.]comย andย paypal-community[.]comย are also legitimate domains also used by PayPal.
It is also important to not be fooled by subdomains which are used deceptively to mask the true domain name of a web link. ย From right-to-left, the domain name in a URL is between the last “/” and first 2 or 3 full stops. Anything either side of this is irrelevant, but often used by cybercriminals to make a link appear more authentic.
#5. File attachments
Treat every email that arrives with an unsolicited file attachment that arrives as suspicious. Malicious file attachments are often disguised as resumes, invoices and receipts. Contrary to popular belief, malicious attachments are not executable (“.exe “) files, but document files such as Word (“.doc”, “.docx” and “.rtf”) and Portable Document Format (“.pdf”) files.
If you receive an email with a file attachment you did not expect, you should either confirm with the sender on an out of band channel (like a phone call) that the file attachment is genuine or open it in a sandbox environment like a virtual machine.
The online PDF and Word document viewers embedded in Gmail and Office 365 can also neutralise harmful content as these viewers do not support frequently-abused active content like JavaScript and Office macros.
Weak indicators that an email might be a phishing attempt
These tips often circulate on the internet, but sadly,ย these tips are ineffectiveย as the level of sophistication of cybercriminals has grown over time:
- Poorly written emailsย โย Cybercriminals can rely on proofreading services such asย Fiverrย to get the grammar right, or in what has become a common practice in phishing, attackers will simply clone common email notifications of well-known brands and businesses.
- Non-personalised greetingsย โ โDear Sirโ instead of โDear Peterโ. Even legitimate newsletters often do not get the greeting right.
- Sense of urgency and far-reaching consequences if a specific action is not taken โ For example, you will be locked out from an account, or the account will be deleted if you do not login in the next 24 hours.
In summary, treat every email with suspicion that comes with a web link, file attachment or a request that you take action. If you are still in doubt, reach out to your friend or colleagues for a confirmation, or leave the email unanswered.
This article was co-written with Nicholas Kavadias.
Gabor Szathmariย is a cybersecurity expert with over ten years experience, having worked in both private and public sectors. He has helped numerous big-name clients with data breach investigations and security incident management. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges atย Iron Bastion โ Australiaโs phishing and cybersecurity experts.