By: Karim Bakhsh Amiry
July 24, 2020
How to Investigate Phishing Emails
By: Karim Bakhsh Amiry
July 24, 2020
Once upon a time, there was a guy called Ahmad. Ahmad was an employee in an organization, and one day he received an email with an attachment to fill for financial purposes from the finance manager. He just pressed the download button on file to fill it, but something unusual happened. The screen went off and then totally locked with a warning on it. The systems in that organization have been hacked and infected by ransomware, and all data has been encrypted. Paying for the ransom was one option they had, but they could also easily ignore the organization's data.
Talking about phishing emails, it is one category of an online scam in which emails appearing to be from a legitimate company are sent from criminals and ask the receiver to perform the wanted action. Phishing is normally done by leaving a link in the email that will front like it takes you to a company's website or/and prompt you to fill out your information. However, in a phishing scam, the website is fake, and the provided information is sent to the people behind the scam (Wikipedia definition). But, it is not only the case. This type of email can lead to giving up credit card information, credentials for a particular service or social media account, and other sensitive personal information or getting an individual to take an expected action, downloading a malicious file, for instance. According to the 2019 Verizon Data Breach Investigations Report (DBIR), phishing is the other top action variety associated with security incidents.
Investigating and analyzing a phishing email can be far easier if one follows these steps and makes him/herself sure of each of the following points.
Check the Sender's Email Address
The sender's email address is something that should be checked and double-checked as there is more than one approach to trick the receiver. Not many organizations send emails to their customers through public domains, not the giants like Facebook, Twitter, TEDed, and more. (Some small businesses, on the other hand, still use public domains such as Gmail for their email services.) So, one has to make sure the domain for the email address is not public if the email is on behalf of a well-known and reputable organization with a dedicated domain. Facebook won't ever send you an email using a Gmail account, for instance. Secondly, check for the spelling, letter by letter, of the domain name. The human mind is so clever that it fixes errors during reading, even if it is not correctly written. Say, we take Spring Field as an organization that has a Finance Manager called Jordan Smith. His email address is email@example.com. Employees in this organization receive an email with a form to fill from firstname.lastname@example.org, and they all do what is wanted. But they are all tricked, and I can surely say most of you are tricked as well as in this second email address "Field" is misspelled as F-E-I-L-D. One can easily be deceived, which can lead someone to give sensitive financial information assuming the email is from the manager. So, checking the sender's email address for the domain name for publicity (sometimes) and the correct spelling can be marked as something really critical.
Some emailing applications don't show the sender's email entirely. Hence, you have to go through an extra step and check the sender's complete details, which differs based on the email applications individuals are using.
The salutation in phishing emails is usually impersonal, addressing the receiver as "dear user, dear customer, dear valuable user, and more." Legitimate companies, educational websites, social media websites, platforms for fun, for instance, address their receivers by their names. This can be seen as proof in any of your Facebook, Gmail, FutureLearn, Cybrary, and much more of these enterprises and small organizations' emails. Although this is not much of a red flag because sometimes even legitimate companies send emails with an impersonal salutation or even no salutation at all. TEDed, for instance, that sends daily emails to the subscribers addressing them as "Dear parents, teacher, and students." It doesn't mean that an email having an impersonal salutation is necessarily a phishing or quite the opposite, so being cautious is an important trait.
Links Are Just Like Hidden Bombs
Links are one of the most harmful components in phishing emails. They can take the target to malicious websites, fake login pages, and much more. Some phishers make the entire content as a link, so clicking anywhere would lead to opening the (hyper)link, and as a result, the malicious resource will be opened. The receiver must check the URL of the link. The URL of a link can be easily seen by hovering the pointer on the link, or the URL is represented at the very left-bottom of the browser's window. It must be checked whether the URL seems legitimate or not. This has to be remarked that if one is suspicious of an email, not any links must be clicked.
Haven't Phishers Learned How to Write English Properly?
Phishing emails' content mostly contains mistakes in grammar, punctuation, and even in using the correct language. Even some easy-to-spell words are spelled wrong. But why is that? One of the reasons is that the hackers who send emails are from non-English speaking countries, so they have some critical mistakes that can't be easily ignored. Committing mistakes in writing can also be done intentionally to dodge spam filters expressed by details here. A reputable company knows how to spell the words or where to use a comma and where to use a particular tone of writing, but this is quite different for phishers most of the time. However, it does not mean that an email without a single mistake in its content is not a phishing email. On the other hand, it doesn't necessarily mean that an email containing mistakes and errors is a phishing one, such as emails from colleagues, college professors, friends, or associates. So, individuals must be cautious only on suspicious emails.
Take Care with Attachments
There are often malicious attachments in phishing emails containing the payload (a malicious code that runs as the file is opened), different types of malware such as worm and viruses. Individuals must take care of the attachments in an email and not open it under any condition until they are sure of the email's validity.
Money does not grow on trees
The above proverb is a bit related to this part as sometimes phishing emails claim things that are too good to be true. For example, winning an iPhone 11, a lottery, or a prize all of a sudden is something unusual or someone claiming to have a lot of fortune and asks the receiver to transfer it to his/her place. These scams are different in their mechanisms and process. Let's take the prize/lottery scam as an example. In this type of scam, the phishers send an email to the target claiming he/she has won a prize/lottery. The prize or lottery could be anything from a phone to a free tropical holiday and much more. Still, to go on with the process, the receiver must provide personal/financial information.
To add one more, Nigerian Prince scam, also known as Nigerian 419, is another scam. It targets a person and tells him/her an elaborate story about large amounts of money trapped in banks during events such as coups or civil wars, often in countries currently in the news. They may also tell him/her about a large inheritance that is "hard to access" because of government restrictions or taxes in their country. The scammer will offer that individual a large sum of money to help them transfer their fortune out of the country. Scammers may ask the receiver to provide them with his/her bank account details or ask them to pay some fee to help release or transfer the money. They encouragingly do all these things, so it makes the receiver believe in them. There are different types of these scams, which a list of them is available on Scamwatch.
Hurry Up!!! (sense of urgency)
Phishers usually take benefit of some tactics such as fear tactics. Phishing emails can hardly be found that does not have any sense of urgency. This is either expressed in the subject line or contents, or it can be in both. They use the fear or threat tactic, losing a subscription or getting the bank account closed, for instance, making the receiver do what is wanted and provide the expected information. Facebook scams, for instance, tells the receivers that their account will be deleted during the next 24 hours, so they have a choice to cancel the deletion, which most of the receivers tend to do. If we take an instance of it within an organization, the phisher may send an email on behalf of the Finance Manager to all employees asking them to give up their bank account details within the next 1 hour. This sense of urgency gives the target less time to think and takes the benefit of their emotions.
Letters' Closing and Signature Can Be an Alert
Just like the salutation, the ending of a phishing email is often impersonal as well. It may not end with a specific person, but instead, it says something like the support team, the survey team, and things that do not refer to a specific person. However, this type of letter closing is also common in many legitimate emails, so that is why this point is a bit weaker, among others, mentioned previously.
Coming to the signature, there is mostly fake information in the emails signature, such as locations with the wrong spelling, a fake phone number to answer in case somebody is deceived, and more. In my opinion, the attackers add the signature to the email to make it look more valid because most people don't go over the signature, and they only read until the sender's name.
The aforementioned points above are marked and labeled in the following picture, so you can have a clearer picture of what to search for when you face a suspicious email.
Summing up all the points together, If one considers all the points above while investigating a suspicious email, he/she would be way too difficult to take the bait. This is worth pointing out that humans can be the weakest link in the world of cybersecurity, and it can be vice versa at the same time. A phishing email that has passed many spam filters can be captured and recognized (easily) by an employee in an organization. So, be wary, and don't hesitate to check a suspicious email.