Ready to Start Your Career?

Identifying Phishing Emails: There is Nothing Good on the Other Side of That Link!

bigfattug's profile image

By: bigfattug

May 28, 2018

Cyber security is a hot topic these days, and for good reason. People are catching on, and they are seeing the need to learn about cyber security, whether they are a personal user or a business. But where do you start? Most people are not technically savvy; they are users in one capacity or another. Even people whose jobs are based on using a computer know how to do the job they are required to do and have no interest in being more tech savvy.  They simply want to do their work and use their devices without the worry of getting a virus. So, how do you teach people to be mindful about their online activities?

Antivirus software and good passwords are not enough; you need to learn to identify potentially dangerous scenarios. You may have heard the terms “phishing” or “spear phishing” before. Wikipedia defines phishing as follows:

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.” -

Typically, phishing campaigns are carried out through email. Just about every personal user has an email account these days, and businesses give their staff company email accounts. That means that almost everyone is a potential target of a phishing campaign. Having a good spam filter working with your email server is important. However, cyber criminals can be very good at what they do and work very hard to beat the spam filters.

Identifying a Phishing Email

We have all seen the emails from an African prince or princess whose uncle is threatening to steal their fortune, and if you help them get it out of the country, they promise to share it with you. These emails have become a running joke, but what about the email from Apple asking you to verify your account credentials or the attached invoice for services rendered? Phishing messages can be deceptive and will trick some people into giving up information or installing malware onto their computer or smartphone.

How can we tell the difference?

There are some telltale signs that give away the illusion, and I am going to show you what they are. Most phishing messages will have a link that they want you to click on. On the surface, they will look like a link pointing you to a personalized web page on their site. But if you hover your mouse pointer over the link, a popup will show what the real link is.

If the popup shows anything different than the link shown or has misspellings or anything unusual, then this is your first clue that there is nothing good on the other end of this link. To take this a step further, we can use a free online tool called Virus Total. Virus Total allows you to copy and paste a URL into a search box and scan the link. To do this, right-click on the link (be careful not to left-click or you will activate the link), choose “Copy Hyperlink,” and paste that into the Virus Total website. After you click the search icon, Virus Total will let you know if there is anything dangerous on the other end. Image and video hosting by TinyPic 

We have proven that this is a malicious link, but there are two more online tools that we can use to further identify information about this phishing campaign. The first one I am going to show you is MXToolbox. This tool lets you put in a domain name (i.e.,, which sent us the email) and run an MX lookup. MX records are email server records. It’s how email servers know where to deliver messages sent to a given email address. They take the domain portion of the email address and look for an MX record associated with that domain. This record tells the server which IP address that email server has and sends the email to that server. When we search in MXToolbox for, we get an IP address.

Image and video hosting by TinyPic

We can take this IP address and enter it into the next online tool I’m going to show you, Cisco Talos. Talos Intelligence is a reputation lookup. We can lookup the reputation of sending servers by IP address and get their location in the world. This information will be very useful in determining if you should be getting an email from that location. For example, take the IP address in the above image and paste it into the Talos Intelligence search box.

Image and video hosting by TinyPic

As you can see, the email server is in Boston. Its reputation is neutral now, but I can feel confident that I should not be getting an email from Scotiabank, with an email server in Boston regarding my account status.


This example of a phishing message was obvious, but it had all the telltale signs of a typical phishing campaign and worked for our example. The creators of this phishing campaign are playing the numbers, as not everyone will have an account with Scotiabank. I can also deduce from the information these online tools have given me that the creators of the phishing campaign have hacked the website/web sever and are using it for malicious means. They likely did not hack the email server, as it is very easy to spoof an email message and make it look like it has come from that server. We could dig deeper into the message header to find the specific IP address that did send the message, but that is beyond the scope of this tutorial. For now, it is safe to say we can block this sender and delete this message. Armed with these free tools and the knowledge of how to use them, you are better able to protect yourself and your colleagues from malicious intent. Chris Briggs - Tier 3 Technical
Schedule Demo