As an Incident Responder I see every day a variety of phishing emails in all different forms and shapes. Ranging from emails that only contain a link to more sophisticated emails containing more detailed information. Even though phishing emails are such a big part of my job, there are not many people writing about them and even more people not aware of the consequences a phishing email can have.
Interestingly most of the cybersecurity breaches we have nowadays actually start with a simple phishing email. To be precise, recent studies show that 91% of all breaches start with a phishing email (Source: https://techjury.net/blog/cyber-security-statistics/). Because of this, I wanted to write about phishing emails and how everybody can easily spot them.
As mentioned previously, there is a wide variety of phishing emails, some easier to spot than others. Most of the time, people rely on the sender email address to determine if an email is legitimate but this can be spoofed very easily. Checking the sender is a good first step, but the content of the email can most of the time tell better if an email is malicious. So let’s take a look at different categories of phishing emails, some examples, and see what gives those emails away as phishing emails.
Note: The following categories are something that I have observed during my work and are therefore not a comprehensive list of possible phishing emails. Additionally, all the names in the example emails have been changed for privacy reasons.
1. “Let’s keep it simple” Emails
These emails are normally really easy to spot as they barely contain any text, sometimes they even only contain a link. These emails rely a lot on the recipients’ curiosity. I mean, who wouldn’t be curious if there is an email with just a link where the link actually goes, even if we know that it’s probably malicious?
Unless you have a friend that sends you often random links, be carefully when you see emails like this. Check who sent the email and if you are unsure check the link in urlscan.io (I will explain this in more detail in a bit).
2. “It’s getting personal” Emails
These emails are generally a little bit harder to spot as they often contain personal information like the recipients name or other details. Sometimes they even contain more private details like your bank details or address. For these emails always check the sender address and think about what they are asking you to do. Your bank will, for example, never ask you to tell them your password or any other details.
3. “To good to be true” Emails
No matter how badly we probably all want these emails to be real, most of the time, they are not 😢. They are themed like vouchers, gift cards, or “You Won” emails letting us believe we somehow got lucky and won some money.
For these emails, it’s often enough to check where the link would go to by simply hovering with the mouse over it. The popup will show you the actual destination, and if that is not what you are expecting, you know that the email is fake.
4. “The super important” Emails
Especially at work, we got these kinds of emails too often. We need to change our password, revise some details, or just accept some documents. Hackers very often like to copy these emails and pressure us into clicking on one of the links. A lot of times this is done by adding a timer or deadline to the message. Putting this pressure on the recipient will make him click on the link before he might notice that something is off with the message
In the example email shown above, the attacker knew the first name of the user [Changed for privacy], but the orange and yellow fields of the Microsoft logo were swapped and “Microsoft” was written with a greek “f”. All these small indicators can be easily spotted once you are aware of them.
5. “Just open me” & “Tell me more” Emails
These kinds of emails are a little bit different to all the others as they don’t contain a link which is why I won’t go into much detail about these types right now. The “Just open me” emails generally contain an attachment, which is in most cases malware. The “Tell me more” emails do not contain any link or attachment but instead ask the recipient to reply with information that could be useful for the attacker.
For both of these types of emails, you should ask yourself if the sender from whom the email came and the content are what you expect. Most of the time, it is fine ignoring such an email. A serious sender will send another email as a reminder.
But of course, the problem remains, how do you know a link is legitimate?
If you are not sure if an email is legitimate the first step should always be to hover over the link. Even if the email is urgent and asking you to act immediately, take the time to hover with your mouse over the link. This will normally show a small pop-up either directly at your cursor or at the bottom of the window with the actual link.
By hiding the actual link behind another link or some text it’s very easy to trick the user into believing the link goes somewhere else. This is not only possible in emails but also in websites.
Let’s take a look at an example:
This is a Google link.
If you hover over it, you will see that it actually doesn’t link to Google but to a different search engine. If you only look at the text and blindly click on it you will be surprised to end up on a different page than you expected.
If you for example get an email from Amazon and you hover over the link and it shows you a link that goes to “xyz-amazing.com” you should be more than suspicious.
Still not sure if the link is malicious?
Even when hovering over the link, it is sometimes not clear if something is malicious or actually something we can click on. To check where a link would lead us we can use a free service called urlscan.io.
UrlScan.io (https://urlscan.io/) is one of my favourite online tools to use for URLs. No matter if you are working in the field of Cyber Security or you just want to be more aware of phishing emails, this website is super useful. If you ever have a link in an email and you don’t know if it’s legitimate, you can copy and paste the URL into urlscan.io. Afterwards, click on “Public Scan” and the website will show you a preview of the page.
UrlScan.io will present you with a lot of different information. The most important one for you is the screenshot which is displayed on the right of the search result. The screenshot doesn’t look like the website where you expected to go? Then delete the email and block the sender. Sometimes urlscan.io is already aware of a malicious website and will tell you directly that this page is “potentially malicious”.
Final Thoughts
I wrote this article to make people more aware of phishing emails and how easily you can check links on your own. However, as mentioned previously there are not only phishing emails with links but also some with attachments and some that just want you to reply to gather more information about you. I still hope that this small introduction to phishing emails helps people being more careful about what links they trust and what emails are better to delete.
Thanks for reading and I would be very interested to hear your thoughts on phishing emails and what types you often get, so let me know in the comments! 😊
