How to Spot a “Phishing” Email

Adapted from http://www.csoonline.com/article/2130760/data-protection/118916-How-to-spot-a-phishing-email.html

While there is no technique that can spot phishing emails with 100% certainty, these are some logical steps that you can use to determine the likelihood that an email is not legitimate. Trusting your own instincts is just as important too. If an email doesn’t seem right, then treat it with all due caution and seek help if you need assistance.

Examine who the message is being sent to and why…

  • The message was sent by a person and organization unknown to you, and may also include fictitious or unfamiliar recipients.
  • The Subject line indicates that an unsolicited attachment is being forwarded. In most business/work relationships, some kind of communication would have taken place where you would be expecting files that someone wants to send to you.
  • The attached file type of ZIP is known to be potentially malicious. Other potentially risky file types end with DOC, XLS, EXE, PDF, BAT and VBS. While most people often use these file types every day, the risk lies within the ability of malicious code being inserted into these kinds of documents. An unsuspecting recipient opening a malicious file of these types would unknowingly execute malware on their own computer.

 

Examine the body of the message…

  • The message opening is unusually and overly formal. People you know or have working relationships with would not ordinarily use such formal language.
  • The message prompts you to create an account or divulge personal details that one would normally hesitate to share.
  • The name in the FROM field of the message is different from the name given in the message body.

 

Examining the message “headers”…

The following pages demonstrate more advanced tips for spotting phishing emails. Email headers provide valuable information when trying to determine the legitimacy of a message. This information can also be used by your local Information Security team if you need assistance.

  • Within the open message in Outlook, click on File > Info > Properties to see the message’s header information. This provides clues on the path the message actually took to reach the recipient. One red flag to look for is if the “Return Path” indicates an organization or domain different than the one identified in the message body, as indicated by the red arrows above. In other email clients there is generally an option to view message headers within the message properties. Contact your local Help Desk or security team if you need assistance.

 

Examining the message “headers”, continued…

  • The sender’s IP address and ISP information indicate a Comcast user in Indiana, as demonstrated by the domain “in.comcast.net”. As the real company FISERV is located in Wisconsin, it is unlikely that they would be using an Internet Service Provider from Indiana.
  • The second address shown is where the email was delivered from. This is usually the email server for your own organization or email provider.

 

More clues in the Headers…

  • This line indicates the computer at the Comcast address sending an email claiming to be from welcome@aexp.com. AEXP.COM is the domain for American Express, which has been spoofed many times over the past few years. Criminals use the technique of spoofing legitimate company domains to take advantage of the trust implicit in a familiar organization’s name.
  • The X-Mailer property indicates what software was used to send the email. While this line can be spoofed, a careless phisher may neglect to change the information. A legitimate company will most likely use a common email client such as Microsoft Outlook, IBM Notes or Novell GroupWise. If a search of the software indicated turns out to be a shareware email client or known email spoofer, that is another red flag that the email is not legitimate.

Custom Fields
  • Author: Tony Dumas
  • Department: Information Security Services
Attached Files
There are no attachments for this article.
Related Articles RSS Feed
Antivirus Software for Windows
Viewed 4453 times since Wed, Aug 12, 2015
Encryption & Virus Protection
Viewed 1102 times since Wed, Apr 29, 2015
ESI: Electronically Stored Information Procedures
Viewed 963 times since Wed, Apr 29, 2015
Tips for Keeping Your Devices Secure
Viewed 50 times since Fri, Aug 4, 2017
Things to Consider if Your UNH Account has been Compromised
Viewed 41 times since Wed, Aug 16, 2017
FAQs- System Center 2012 Endpoint Protection, Microsoft Security Essentials, and Windows Defender
Viewed 2383 times since Wed, Aug 12, 2015
Network Registration & Vulnerability Scans
Viewed 696 times since Wed, Apr 29, 2015
Good Security Practices to Adopt at Work/School, and at Home
Viewed 93 times since Fri, Jul 14, 2017
SEED: Safe Electronic Equipment Disposal Instructions
Viewed 1391 times since Mon, Apr 27, 2015
The Fake Speeding Ticket Scam - What Will Hackers Think of Next?
Viewed 531 times since Mon, Apr 4, 2016
MENU