As phishing emails come in different shapes and formats, there is no silver bullet to identify a phishing email. However, there is a collection of red flags you should be looking for before clicking on a new message. Here is our up-to-date guide to help you recognise the latest email-based scams.

What is phishing? Phishing is a cyber-attack typically carried out over email. In a nutshell, cybercriminals aim to trick their victims into clicking a link or attachment, giving their password away or asking for money by pretending to be a legitimate online service, client, supplier, friend or colleague.

Strong indicators that an email might be deceptive

Although other clues are available, the following indicators are the main methods of deciding whether an email is genuine or not:

Sender Policy Framework (SPF) violations.

The sender’s display name and/or email address is spoofed.

The IP address of the sending SMTP server does not belong to the sender’s organisation.

The clickable web links does not take to a "trusted domain".

The email features an unsolicited file attachment.

#1. Sender Policy Framework (SPF) violations

If the sender’s domain name specifies the allowed SMTP hosts in an SPF record and the receiving email server supports SPF lookups, your email server will flag emails violating the SPF policy. Typically, these emails are either rejected or moved automatically into your spam folder.

The adoption rate of SPF records is around 50% according to a 2016 report. However, poorly configured email hosting providers may keep these emails in your Inbox.

The domain 'time.kz' does not designate 'mail.globalreservation.com' as a permitted sender (Source: Iron Bastion)

To find out whether a suspicious email has violated the SPF policy, view the message headers and look for the Received-SPF header. If the status is ‘fail’, the email might be a phishing attempt.

#2. Sender name and/or email address spoofing

There are two common sender spoofing methods cybercriminals use. For illustrative purposes, let us say the person we wish to impersonate is Peter File , and his email address is peter.file@brasseye.com :

Email Address Spoofing: Peter’s email address and his name are both spoofed on an incoming email so that the sender appears to be: Peter File <peter.file@brasseye.com> . Display Name Spoofing: Only Peter’s name is spoofed, but not the email address: Peter File <chrism1337@gmail.com> .

To verify the sender of an email, you simply need to observe the sender’s name and email address in your email client. Both the sender's name and the email address should be displayed by default. On the other hand, smartphones may not display the sender’s email address. In this case, you can reveal the underlying address by tap-holding on the sender’s name.

Email address spoofing (method #1) has become more difficult for cybercriminals because of SFP. If you see an email from a name and email address you know end up in your spam, you should leave it there, chances are it has failed SPF validation and been moved there on purpose.

#3. The sending IP address does not belong to the sending organisation

Another indicator of a phishing email is the sending IP address (or hostname) of the sending SMTP email server.

If the email is sent from peter.file@brasseye.com , it is safe to assume that the sending SMTP server is closely associated with the sending organisation (e.g. smtp01.brasseye.com ), or a reputable email hosting providers such as Office 365 or G Suite. In case the email is sent from an IP address or hostname associated with unrelated countries and organisations, the email might be not genuine.

This fake PayPal notification was sent through an unrelated SMTP server and features the display name spoofing technique (Source: Iron Bastion)

You can look up the sending SMTP server’s IP address and hostname (as well as many other properties) with the combination of MX Toolbox Email Header Analyzer and a service such as ipinfo.io. If you use Microsoft Outlook, there is a handy utility called Message Header Analyzer which can show you this information too.

Embedded web links in emails may lead to deceptive websites hosting fake login pages or web browser exploits. It is crucial to inspect a web link before clicking by either hovering over them (on a desktop computer), or tap-holding on it with a smartphone.

If the email is seemingly coming from a trusted provider like PayPal, the web link should be pointing to a domain name associated with the domain.

This email was supposed to come from Mailgun.com, yet the web link would take us to an unrelated domain (Source: Iron Bastion)

Sadly, big companies tend to register confusing domain variants of their brands. For example, support@paypal-techsupport[.]com is a legitimate email address belonging to the PayPal Merchant Tech Support team. Other domains like paypal-knowledge[.]com and paypal-community[.]com are also legitimate domains also used by PayPal.

It is also important to not be fooled by subdomains which are used deceptively to mask the true domain name of a web link. From right-to-left, the domain name in a URL is between the last "/" and first 2 or 3 full stops. Anything either side of this is irrelevant, but often used by cybercriminals to make a link appear more authentic.

A deceptive web link made to look like an eBay login page. The true domain name is highlighted. (Source: Iron Bastion)

#5. File attachments

Treat every email that arrives with an unsolicited file attachment that arrives as suspicious. Malicious file attachments are often disguised as resumes, invoices and receipts. Contrary to popular belief, malicious attachments are not executable (".exe ") files, but document files such as Word (".doc", ".docx" and ".rtf") and Portable Document Format (".pdf") files.

Ransomware may arrive in Word documents like this (Source: Ars Technica)

If you receive an email with a file attachment you did not expect, you should either confirm with the sender on an out of band channel (like a phone call) that the file attachment is genuine or open it in a sandbox environment like a virtual machine.

The online PDF and Word document viewers embedded in Gmail and Office 365 can also neutralise harmful content as these viewers do not support frequently-abused active content like JavaScript and Office macros.

Weak indicators that an email might be a phishing attempt

These tips often circulate on the internet, but sadly, these tips are ineffective as the level of sophistication of cybercriminals has grown over time:

Poorly written emails – Cybercriminals can rely on proofreading services such as Fiverr to get the grammar right, or in what has become a common practice in phishing, attackers will simply clone common email notifications of well-known brands and businesses.

– Cybercriminals can rely on proofreading services such as Fiverr to get the grammar right, or in what has become a common practice in phishing, attackers will simply clone common email notifications of well-known brands and businesses. Non-personalised greetings – ‘Dear Sir’ instead of ‘Dear Peter’. Even legitimate newsletters often do not get the greeting right.

– ‘Dear Sir’ instead of ‘Dear Peter’. Even legitimate newsletters often do not get the greeting right. Sense of urgency and far-reaching consequences if a specific action is not taken – For example, you will be locked out from an account, or the account will be deleted if you do not login in the next 24 hours.

In summary, treat every email with suspicion that comes with a web link, file attachment or a request that you take action. If you are still in doubt, reach out to your friend or colleagues for a confirmation, or leave the email unanswered.

About Iron Bastion

Iron Bastion are Australia’s phishing and cybersecurity experts. We provide cybersecurity consulting with specialised solutions to combat phishing. Our team are qualified cybersecurity professionals, and all our staff and operations are based in Australia.

Contact us for a free cybersecurity consultation or sign up to our managed services today.