How To...  Detect a Phishing email

There are a few good ways to tell if an email is suspicious and possibly malicious. This page will discuss a few of them:

1. Known Scams
2. Deceptive Links
3. Bad grammer or spelling
4. Strange structures
5. IP Addresses in the URL
6. More...

Once you know you have a scam see, How To... Report Spam/Phishing for instructions on how to report spam

Known Scams

There are a host of well known and commonly immitated scams out there. Check out Top 10 Spam Scams for a good description of the most popular

Deceptive links

The biggest red flag that a message is likely malicious is a deceptive link. That is, a discrepancy between the shown link and the real destination URL…

As you may or may not know, it is very easy to make a link display one thing but take you to a totally different place. For example, here is a link that says Yahoo, but it will really take you to Google. Web browsers and email clients give you a way to see the real destination of a link, however, and you can use that feature to test a link to see if it is deceptive.

If you hover your mouse pointer over the above link (green hand below), you will see google in the lower-left corner of your web browser (red arrow).

The same thing works in an email client. In Outlook, you need to hover your mouse pointer and wait 2 seconds and the real URL will appear as a floating box.

So you can see from the above that, while the link claims to be going to microsoft.com it is really taking you to myip.org.

If you ever see a link that claims to be to one place, but is really to another, be VERY suspicious of the email. It is likely malicious.

Obvious gramatical or spelling errors

This is another important indicator. Email messages that claim to be from a business and yet contain errors in grammer, use of words, spelling or punctuation should send you a red flag. Most businesses have several layers of review before a message is approved for release to the public. Obvious errors will typically be caught and removed during this process.

Strange structures

If the email just looks strange, has unusual formatting or parts that just don't make sense, be suspicious.

For example, below is an email specifically designed to try to fool spam filters.

• The top part (down to "Please don't click...") is all a graphic so that filters can't see the word "download", etc. A spam filter cannot look into graphic contents...
• The bottom part is a series of phrases that make no sense. These are added so that filtering software configured to filter out an email that is nothing but an image, will still let this message through.
• Finally, they include the "Please don't click..." line. They do that because information security people have been telling people to not click links in email. They do this to try to make you trust them. They are telling you the same thing your InfoSec people are... they must be trustworthy........

You have to ask yourself why someone would go to this level of trouble...

IP Addresses in the URL

If you ever see an IP address in the shown or the real URL, be suspicious. For example:

http://81.202.235.150/?36a4bc955099675c50080d0229e368412571

Remember that the taget of a URL is between the // and the first /

This means that the red part is the target of the URL.

http://81.202.255.160/?36a4bc955099675c50080d0229e368412571

This is an IP address, not something readable (like "amazon.com" for example). You have to ask yourself what the senders of this message are trying to hide...

More...

• Phishing: Detect it, Avoid it
  A 40 minute streaming video presentation that discusses email and internet phishing and gives many examples of phishing attacks that have been seen over the past few months.