Written by Ed Desorcy

As we’ve highlighted in our Scam School articles, phishing is one of the most common and successful attacks out there. Phishing is described as someone with malicious intent requesting a piece of information through email from a victim under the guise of an authentic request. While phishing attacks have many forms, we’re going to solely focus on email phishing and teach you how to spot the main warning signs, so you don’t become another victim.

Phishing emails often look just like their legitimate counterparts. You’re going to want to examine the header of the email. It may or may not look authentic from your inbox screen. In order for a virus to execute, it requires a user to complete a certain action, be it opening an attachment or clicking a suspicious link. Opening an email to examine it further will not put you in danger.

Examine the “From” Field

This one is tricky. A threat actor can alter the sender’s name so it looks authentic, but take a closer look at the email address. Support@microsftforyou.com? Techsupport@hotmail.com? If it’s not from the legitimate company’s proper domain, don’t trust it.

Urgency or Scare Tactics in the Subject Line?

Social engineering attacks like phishing rely on intimidation and manipulation to trick users into clicking on a link or opening an attachment. If the subject line contains things like, “Password Check Required Immediately” or “Security Alert! Action Required Now!,” think twice about trusting the email. Phishers want to create a sense of panic in their victims. If you think your account is in danger, you’ll be more likely to enter your credentials and act on this potential threat.

Strange Attachments?

Never trust an attachment from an unknown source. File extensions can be manipulated to hide viruses and other malicious software in the file itself. There’s only one reason why an unfamiliar email address is sending you an attachment, and that is to execute a malicious attack. Common phishing email attachments include “resume.docx” or “Sales figures.exe.”

What’s in the Body?

The body of an email is the meat of the email. It can often look so authentic with a company’s images and styling that even top experts in the cybersecurity field have been fooled. Here are a couple of things to look out for:

Salutation and Signature:

One of the first things to examine is the salutation. A generic greeting can be a warning sign. It shows that a phisher is mass-emailing this exact email to a multitude of victims. Even if the email it’s directed specifically at you doesn’t mean you’re out of the woods though. The threat actor could be spear-phishing you, where the attacker likely knows who you are, what your role is in the company, and what could be gained if they successfully phish you.

Signatures can also give a clue. Odd wording, a different email signature, or if it says “from a 4G LTE phone” when you know the supposed sender uses an iPhone could be a dead giveaway.

Are They Requesting Personal or Company Information?

Never give away personal or company information via email. Never. Just don’t do it.

Time of Day

Is your boss contacting you after office hours or during the weekend? Are they on vacation? Never give away personal or company information or complete tasks over email. They may be insistent that they need your help with a specific task but won’t tell you about the task in the email.

Poorly Written or Bad Grammar?

A lot of phishing emails are originating in countries where English isn’t the predominant language. Is the email riddled with spelling mistakes and grammar misnomers? Chances are it’s a phishing attempt. You will never find a spelling or grammar mistake in a legitimate company’s email or publication. Large companies especially like Microsoft and Google have teams of proofreaders and lawyers going through emails and press releases with a fine-toothed comb before they get to your inbox.

The main goal of a phishing email is to get you to click a questionable link or open an attachment. You will be urged to click or act immediately, or your account will be closed.  So, what’s on the other side of the link? It could often link to a website that looks exactly like the company’s website with form fields for you to hand over your personal information. It could also link to a malicious software or ransomware download.

Before you realize what’s happening, it’s too late. Always hover your mouse over hyperlinks and embedded links in images before clicking on them. The link in the email may be disguised, but you can quickly check the legitimacy by simply hovering over it with your mouse.

Education and awareness are key when attempting to foil phishing and other social engineering attacks. There is no way to completely prevent phishing attacks but applying common sense and your knowledge will give you the best chance possible in stopping threat actors in their tracks!

A Real Phishing Email or Spoof

Some IT Support RI staff members received this email which appears to be from Paul. Upon closer inspection, and using the tips presented above, we can analyze this email to uncover what makes it a phishing email.

  • Examine the “From” Field: We can see that the address is NOT Paul’s email address, but a random gmail account. This sender has tried to use Paul’s name to trick the staff into responding to the email.
  • If this was sent from Paul’s actual work email address, we’d see Paul’s picture and not the “PR” icon next to his name.
  • Subject Line: The subject line reads “Request,” which is a very common subject line used in most phishing emails.  This subject is designed to make potential victims think they need to open and respond to the email urgently.
  • Time of Day: If we look at the time and date, we can see that the email was sent at 8:38 AM on March 30th, which was a Saturday. This also raises a question; why would Paul be sending an email while he’s in a meeting?
  • Sense of Urgency: The phisher has created a sense of urgency by saying Paul has a request that needs to be completed “discreetly right now” and that we need to reply back “immediately.”
  • Poorly Written or Bad Grammar: Despite being a short email, there are a few minor mistakes that a trained eye could notice. Immediately, in the first sentence, “Do you got a minute,” we can note that “got” is used instead of “have” and that the question does not have a question mark. The sentence, “So just reply me back immediately you got this text,” contains a few minor mistakes and is awkwardly written.
  • Signature: The signature reads “Sent from a 4G wireless phone.” Paul has a full email signature, containing his name, the company name and address, and his phone number.  We know that Paul has an iPhone, so the signature could say “Sent from my iPhone.”