How to Spot Phishing Emails

1. Emails sent from public email domains

All (except the very smallest) businesses will send email from their company address. For example, all email sent from Cilix will look like this:

<sender’s name>@cilix.co.uk

Everything after the @ sign is called the email domain. It’s very important that you check this matches the sender’s company name.

Many email domains that don’t relate to a specific company are generally used for personal email addresses. Examples you may be familiar with are @gmail.com, @hotmail.com and @outlook.com. The email domain in these cases refers to the email uses. But be aware that sometimes the provider can also supply the domain eg btinternet.com.

Remember, not even Google will send you an email using the @gmail.com email domain (it will use @google.com).

In general, any email you receive in your company inbox that uses a public email domain should be treated as a potential phishing email.

Example 1

So, using the example above, it’s clear that this email has been sent from a personal email account and not a business and can be safely deleted.

2. Typo-squatting (ie deliberate misspelling of) email domain names

Be aware of emails sent using misspelt email domains that are carefully crafted to look like a valid company email domain name.

Example 2

Note the deliberate misspelling of Amazon in the email domain name in the example.

3. Sent from a compromised email account and embedded links

Phishing emails sent from email accounts that they have already taken control of by fraudsters (probably by a previous phishing scam) are generally the most difficult to identify because they are being sent from a real company email address.

There is generally no way to distinguish them from non-phishing emails except by the content of the emails themselves.

Checking embedded links can be a way of determining the veracity of an email.

Embedded links can be added to an email in several ways (see below), but the mechanism for identifying where the link will actually take you (compared to what the text in the email says) can be viewed easily.

In every type of embedded link, simply hovering the mouse cursor over the link (text, button, or attachment) will show where the link will take you. On a mobile device pressing and holding the cursor over the link will do the same thing.

Do not trust any link that doesn’t appear to be linked to the company that sent the email.  If in any doubt, contact the sender of the email to check.

Do not reply to the email with the link because if the account has been compromised the fraudster may be controlling incoming emails.

Embedded links can appear as:

• Hyperlink

• Button

• .html attachment

NB: As a rule of thumb, never open an HTML file. If the email is genuine, go back to the sender and ask for the data in a different format.

1. a cunningly disguised pdf attachment

4. Targeted phishing emails (AKA Spear Phishing)

These emails come from Malicious Third Parties who have already done their homework. They know who the boss is and they know who pays the suppliers.  The idea is to send an email that purports to come from the boss to the person who makes the payments on behalf of the company.

They can do this in various ways:

1. Obfuscate the sending email address to make it look like the boss (see Typosquatting above)
2. Use address spoofing to make it seem that the email has been sent from the boss’s account while the real address is quite different.

Here’s a real example of a spear phishing attack:

There are a number of signs that can indicate all is not well with this email. Not all phishing scams will have all of these “tells” but they will all have some.

Let’s take a closer look at this real example:

1. First red flag. Microsoft changed the way the email sender’s details some time ago. In Outlook they now show the name and the email address of the sender. In this case we can see they are clearly different. However, bear in mind that in more sophisticated scams it’s trivial to use address spoofing to make the email address appear to come from the person the scammer is impersonating, so you won’t always see this discrepancy. It’s also possible that the sender’s email account has been compromised and, unknown to them, it’s being used by the scammer.
2. Second red flag. In this particular case, although the real sender’s first name is Timothy, this is not the name they generally use. Also, the sender writes, “Good Morning Robert”. Again, in this particular example, although the recipient’s first name is Robert, it’s not the name they would go by on a day-to-day basis. If you know the person purporting to send you an email, it’s worth checking if details like these feel right or not.
3. Third red flag. A sense of urgency is implied by the Subject “Payment due” and “Please make it a same-day payment”. A sense of urgency can cause the recipient to skip the normal checks put in place to ensure any payments made are real especially when the email appears to be coming from the boss.
4. Fourth red flag. Asking for assistance by implying you are very busy can induce associates to carry out tasks that don’t follow the normal or accepted practice.
5. Fifth red flag. Making the email appear to have been sent from a mobile device can be used as a cover for poor spelling or grammar and also for the terseness of the email. It also excuses the absence of a company signature (but see the next section below). In our experience, most spear phishing emails have the “Sent from my iPhone” signature.

To avoid being the victim of a spear phishing attack you can do three things:

1. Look for these five red flags. If you are unsure as to the veracity of an email you can call or message the sender. Do NOT reply to the email. If the real sender’s account has been compromised, then the scammer will likely be replying not the real sender.
2. Put in place a code word that needs to be included in the body of the email text if the boss requests an unscheduled payment.
3. Use a service like Exclaimer! This adds a company signature to all emails as it leaves the Microsoft email servers (not when it leaves your device). This way you will know that any email coming from the boss will only ever have the company signature and not “sent from my iPhone”.

Disclaimer: Cilix have no association with Exclaimer! other than as a very satisfied customer.