Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

7 Signs of Phishing to Watch For

Don’t be fooled.

Beware: Phishing
(Image: canva.com)
A friend received a fairly convincing phishing attempt. I'll cover the signs that showed it was bogus.

A friend recently asked me to look at an email they’d received to confirm whether it was legitimate or not.

It was not.

It was a good attempt, and probably fooled many into clicking through and potentially handing over their sign-in credentials to a crook.

I’ll review some of the signs in this email that flagged it as fake.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

7 Signs of Phishing

  • A message received out of the blue with no prior context.
  • A message containing no additional explanation for whatever you’re supposed to click on.
  • Bogus or meaningless filenames for promised documents.
  • Incomplete branding, like a Microsoft logo with no mention of OneDrive in an email sharing a document.
  • Your email address not appearing in the “To:” line.
  • A message consisting of an image of text, rather than a mix of images and text.
  • A bogus link destination, or a destination inconsistent with the promised document.

While any of these can happen in legitimate email, each should cause you to pause, and multiple instances in the same email should cause you to question the legitimacy of the message.

Our example

Phishing email
Phishing email. Click for larger image. (Screenshot: askleo.com)

I’ve intentionally blurred out a few items for privacy, but:

  • The blurred-out name in the “FYI: Data received from” subject line is someone my friend knows and has corresponded with in the past.
  • The blurred-out name and email address in the “From:” line ending in “@akc.org” matches my friend’s contact.
  • The blurred-out “To:” line is the same email address as the sender.

The email seems to contain a document shared by the sender for my friend to open and read. The icon suggests it’s a spreadsheet. Since the Microsoft logo is included, one might expect it to be shared online in OneDrive.

And of course, the email closes with an official-looking business-like signature from the sender.

There are many lies in this message.

Clues you can use

It’s important to point out that any of these items are clues, not absolute indicators. Any of these can occur in legitimate emails as well.

1: Lack of preceding context

While my friend knows the sender and has had email conversations with them in the past, it had been months. There was no current email conversation of which this might have been a part. It arrived completely unexpected, out of the blue.

2: Lack of included context

There’s nothing within the email message to give it any context. “You have been granted access to a secured document file”1 — great! But what does it contain? Why have I been given access? What am I supposed to do with it, other than the implied open?

3: Lack of an informative file name

Normally, files are given names that indicate their content.

4: Microsoft logo without mention of OneDrive

Microsoft is not likely to share a link to a file on OneDrive without explicitly promoting the fact that it’s on OneDrive. Everything is a marketing opportunity, and that this wasn’t treated as such might imply that Microsoft was not really involved.

5: The email wasn’t “to” my friend

The email didn’t show my friend’s email address at all — they were BCC’d.  This was suggested by the fact that the email appeared to be sent from someone to themselves.

6: The entire box was an image

The entire box containing the “You have been granted” text, the document icon, the document name, the Open Document button, the Microsoft logo, and more was a single giant image. Clicking anywhere would take you somewhere. (The image might have been shown because it was included with the email and not a remote fetch, which is normally blocked, or because my friend had the sender’s address in contacts or as an “always allow images” setting.) A legitimate email will typically be a combination of text and images, not just a single image that looks like text.

7: The destination was bogus

Given that the email was attempting to look like a Microsoft email (because of the logo) linked to a Microsoft document (the Excel-like icon) implying it would be shared on a Microsoft property like OneDrive, we’d expect the link to go to a Microsoft-owned domain. Hovering anywhere over the image showed that the destination URL was no such thing. It went a domain similar to “48c0ef1.somerandomservice.com”. I’m not mentioning the specific domain (somerandomservice.com is my own) because sometimes spammers own them, but more often, it’s someone else’s domain that’s been hacked and put into service for this type of thing.

Again, I have to point out that many of these clues occur in legitimate email. And some — like a bogus destination — are more strongly indicative of a problem than others. The important takeaway here is:

  • All of these clues were visible simply by taking the time to look at and think about the message before acting on it.
  • The presence of multiple clues strongly implies that this was a phishing attempt.

More clues you can look for

One of the first things I did when my friend asked me about this email was to take a look at the email headers you don’t normally see.

Email headers
Email headers. Click for larger image. (Screenshot: askleo.com)

They were much longer than those shown above. The results were difficult to interpret, and to my casual eye, inconclusive at first glance.

However, we have tools for this type of thing. MxToolbox has an email header analyzer. Copy/paste the headers from an email message, and it’ll perform a number of interpretations and validations on the information. Most tellingly in this example, near the top of the results was this:

Deliverability Info from Email Headers
Deliverability info from email headers. (Screenshot: askleo.com)

To grossly oversimplify:

  • SPF is an email standard that defines whether a specific email server is authorized to send email on behalf of a specific email domain.
  • DKIM is an email standard that confirms whether an email message was sent by the email domain it claims to be from.

This message failed both tests, further cementing our evaluation that it was spam.

Why didn’t a spam filter catch it?

So with all these indicators that the message is spam, why didn’t a spam filter catch it before it reached my friend’s inbox?

Two reasons.

First, many of the clues I list above are subjective. A spam filter, for example, won’t know that you do or don’t know someone, whether or not you’ve been having conversations with them recently, or whether the message itself contains any reasonable contextual information. These are all things only you and I can judge when we see the message and take the time to think.

Second, many of the clues, and even the SPF/DKIM failures, are common in legitimate emails. This, ultimately, is what makes fighting spam so excruciatingly difficult. Suddenly enforcing, say, DKIM compliance, would work only if every single email server and service implemented it completely and correctly, and even then, there would be side effects.2 While possible in theory, in practice it’s just not happening.

If you click

Messages like this are phishing attempts with a very simple goal. It works like this:

  • They look legitimate (or at least relatively legitimate).
  • They promise something — either vaguely, as in our example, or important, as in fake delivery documents, or something else.
  • They include a link to click on.
  • When you click on that link, you’re taken to what appears to be a sign-in page related to the document promised.
  • The sign-in page is bogus. It only collects your sign-in credentials, which are then passed on to the hacker.

Once the hacker has your login credentials they can change the password, lock you out, and use your account to impersonate you, hack into your other accounts (perhaps including your bank), or just generally cause all sorts of mayhem.

So in our example above, clicking on the “Open Document” link would probably have taken you to something that looks like (but is not really) a Microsoft account sign-in. If you had entered your Microsoft account credentials, you would have handed them over to a crook.

Think before you click

I listed many “clues you can use” above that don’t require complex header analysis or any kind of technology. All you need to do is pay attention.

Unfortunately, in the rush of our day-to-day, it’s all too easy not to. It’s easy to simply glance at a message and act on it without fully understanding what we’re about to do.

Don’t be that person.

Think first. The time you take to do so will be well worth it compared to the alternative of possibly having your account compromised.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

Podcast audio

Play

Footnotes & References

1: While that’s technically bad English (“document file” is redundant), and the sentence should really be terminated with a period, I’m not going to flag that as suspicious. It’s close enough, and, sadly, many legitimate senders’ English skills are poor enough that this could just as easily be legit.

2: Some years ago, for example, Yahoo mail began enforcing one aspect of their email configuration, and it caused almost all mailing lists across the internet to suddenly fail if @yahoo.com email addresses were used.  Multiple mailing-list software packages had to either implement a cumbersome workaround or be abandoned.

2 comments on “7 Signs of Phishing to Watch For”

  1. What concerned me the most was: 6: The entire box was an image … Clicking anywhere would take you somewhere.

    I am careful not to click on links in pretty much all emails, but I can see I could easily accidentally do a random click without having known the danger.

    Thanks for reminding us, we can never be told too often to be careful clicking on links.

    Reply
  2. I would add: Never click on a link in an email. Always type the URL in question into the address bar of your browser. That way, you won’t be going to the rogue site.
    Using a password manager like LastPass is also a layer of protection. If you accidentally click on a phishing link, the password manager won’t try to enter the password for you because the phishing site is not in their database. If your password manager can’t log in, it’s extremely likely that it’s a phishing attempt. Password managers may mess up and not enter the password on the real site, but this is rare. In any case, if this happens, look very closely at the email again.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.