Almost all phishing emails begin with a call to action. This should be our first red flag that a message is suspicious. Whenever an email asks you to react immediately (usually to avoid some consequence, such as being locked out of an account, data being deleted, or the displeasure of a supervisor), take pause. Read it a second time, and then a third. Ask yourself if the request makes sense.
While rereading the email, look for inconsistencies in grammar, spelling, and style. Does the message maintain a professional tone? Are there obvious typos or strange word choices? If the email appears to be from a colleague or superior, compare the suspicious message to one of theirs. Ask yourself if the writing styles are similar. Many phishing emails originate from outside the US, are computer generated, or both. A poor grasp of written English can be a strong indicator that a message is not legitimate.
Some phishing emails appear to be form letters from a service provider, such as Microsoft. Others will appear to have been sent by someone you know, such as a boss, colleague, or friend. In both cases, the attacker can use a technique called “spoofing” to hide their email address. Look for the sending email address in the message header. Hover your mouse over the “From” email address. A small popup bubble will appear and should match the address in the header. If it does not, it is almost certainly a phishing email. You can use the same technique to gather additional information about links in an email. If the email claims to be from Microsoft, but the links within point to non-Microsoft websites, treat the email with extreme suspicion.
These categories and the techniques they use are not comprehensive. Attackers are always attempting to find a new scheme and our own vigilance is the first step in thwarting them. When reading email, ask yourself the following:
- Does this email appear to be CEO Fraud, Account Notification Fraud, or Blackmail?
- Do the email addresses in the message header and any links within the email look suspicious our out-of-place?
- Does the email appear to be poorly-written, riddled with typos, or both?
- Does the email contain an urgent call to action?
If the answer to one or more questions is yes, it may be a phishing email. If it impersonates a colleague or supervisor, attempt to confirm with them in person. If it impersonates one of your service providers, or appears to be blackmail, check with your IT team. Under no circumstances should you reply to the email or give the attacker any additional information. Remember that if you’re suspicious, it’s probably for good reason.
Additional information about an email’s origin and legitimacy can be found in the email’s metadata. We at LeafTech have been analyzing suspicious emails for years, and we’re happy to offer this service to our customers. If you have a question about an email’s validity, let us know. We’re here to help sort the bad, the good, and the ugly in your mailbox.