How do I know if an email is a phishing attempt?

Published : 2018

The heading of this blog is one  of the questions I am asked quite frequently in my security and password sessions. Specifically, how I tell personally,  if an email is a phishing attempt- and what advice I give for managers to take back to their teams and any future staff around dealing with phishing attempts.

Phishing and preventing people from being taken in by scammers is something of a focus for us – we’ve even previously written about phishing on this blog specifically from a small business perspective Phishing: The Small Business Lowdown. 

Splunk reports that an estimated 3.4 billion phishing emails are sent daily, so if you feel like it’s a large overwhelming problem, know that you aren’t alone. (https://www.splunk.com/en_us/blog/learn/phishing-scams-attacks.html)

So we’ve put together our Phishing Check List for business teams.

Whilst not exhaustive by any means, this list has served me, and my team well.

Here’s my check list –  if something doesn’t look right to me, in my inbox , this is usually how I evaluate and deal with it. Admittedly, the items have become second nature – so I don’t necessarily need a physical check list – but in case you, or your staff do – there’s a downloadable printable PDF at the end of this article.

There are 7 points – the detailed explanations follow.

Check List

  1. Are you expecting this email?
  2. Does the “From” email address look legitimate?
  3. Is there a misplaced sense of urgency in the email ?
  4. Google Search is your friend. Use it.
  5. Are there multiple typos, and massive grammar inconsistences in the email?
  6. When you hover over the link (or links) what does the preview show you for the address?
  7. If all else fails – check with the company that appears to have sent the email.

The Detailed explanations

  1. Are you expecting this email ?

Email is used to validate identity when new accounts or profiles are created , so often you may be sent an email with a “validation” link in it to confirm your email address and thus if you have just signed up for a new profile or online shopping account – then, yes, the email may be expected. And it’s highly unlikely to be a phishing attempt. Don’t overthink this one. If you’re not expecting a validation email, or a confirmation of identity for anything, then move on.

  1. Does the “From email”, in all its variations look legitimate ?

Most email clients (the programs we use to read and work with emails, rather than the actual email exchange) have tools where you can look at the details of the sender – it can be confusing as sometimes there is a “via” or the reply-to email looks different . Generally what you want to see here is that the email address you see in the name, has the same domain as the company or the sender, and, that the reply-to address isn’t necessarily completely different. Also if there is a “via” email displayed, that it makes sense.

It’s not always a problem if the email has come via another channel – for example Bank of Melbourne emails are sent to their clients via the St George email servers, so they all arrive with “via stgeorge.com.au” in the from address. Again – it’s unlikely to be a phishing attempt, if the “via” email makes sense, and you know that the company details are correct.

Phishing emails sometimes come via a channel that they do not belong to- it’s a warning flag if you see a “via” in the From address that doesn’t make sense and doesn’t match the brand or what you know about the corporate.

Screenshot Of The Header Of An Email From Momentume Energy, Showing The From Address And Reply To Address As Both From The Momentum.com.au Domain. An Indication That This Is Unlikely To Be A Phishing Attempt

3. Is there a sense of urgency, related to a deadline or time limit that feels wrong.

Assuming that this is not a validation email of some kind ( see 1. ) which you are expecting , another red flag is when an email purportedly from a bank or another financial institution arrives, demanding a login, for security purposes – and there is a limit or a deadline associated with this login.

Creating a false sense of urgency by threatening to cut off access is another tactic used to catch people in a phishing attempt. Assuming that you have not been ignoring notices for weeks from the company in question (don’t laugh, people don’t read anything that comes from a Corporate, even the legit stuff)

  1. Google Search is your friend. Use It.

When in doubt about the sender, the reply-to or the “via” – use Google Search to find out info about the company and the details shown.

As an example – if you did not know that Bank of Melbourne emails are sent via St George – go to google search and type in “ Connection between St George and Bank of Melbourne” – the search results should verify that

a) Yes, there is a connection between both banks and;

b) Bank of Melbourne is simply a rebranded St George for Victoria;

which means; we can safely assume the “via” stegorge.com.au is not a problem for an email from Bank of Melbourne

  1. Is the email badly written ?

Emails and client communications go through several layers of checks and several different team members and managers before being signed off, and then sent. This is particularly true in larger corporates.

Multiple spelling errors, and incredibly bad grammar are almost guaranteed not to happen, or very very rarely, we are human after all.

It’s a massive warning, and indication of a phishing attempt when there are a large number of typos, spelling errors and bad grammar in an email that’s meant to be coming from a corporate. Especially if the email looks like it’s deliberately done badly.

  1. What does the Link Preview tell you?

Most browsers will show you a preview of the link if you hover your mouse over the link or button. If you see a link that doesn’t match the text, and is not from a reputable link shortening service, it indicates the possibility of a phishing attempt.

Occasionally you can’t do this as  the links are shortened by services such as Goog.ly or Bit.ly – and on a touch device you can’t “hover”, however, if they are not shortened, or the site is fully responsive and mimics the hover function with a “single/double” tap functionality, you should see where you’re going before you click.

  1. Check on the website for the vendor, or call your contact at the company

After all of that – if you’re still not sure – either go directly to the website, login and check for any notifications , or pick up the phone and call whomever you normally speak to.

If the email is from a bank, or larger company – call up their call centre – and ask about the email. If it is a legitimate communication, and not a phishing attempt, they will know about it and be able to help you with the details.

Phishing Attempt Check List

There you have it – the list, plus explanations of the steps we follow to assess a suspicious email.

If you’d like a printable copy of this checklist – contact us and we’ll send one over to you by email.