{"id":8575,"date":"2023-03-01T17:02:28","date_gmt":"2023-03-01T21:02:28","guid":{"rendered":"https:\/\/tcn.tidbits.com\/?p=9714"},"modified":"2023-03-01T18:58:48","modified_gmt":"2023-03-01T22:58:48","slug":"a-practical-guide-to-identifying-phishing-emails","status":"publish","type":"post","link":"https:\/\/www.macworks.com\/blog\/a-practical-guide-to-identifying-phishing-emails\/","title":{"rendered":"A Practical Guide to Identifying Phishing Emails"},"content":{"rendered":"<p>Phishing is becoming an ever more common way for people to get in trouble when using the Internet. A phishing attack is some communication, usually an email, that tries to lure you into revealing login credentials, financial information, or other confidential details.<\/p>\n<p>A <a href=\"https:\/\/venturebeat.com\/security\/report-phishing-attacks-jump-61-in-2022-with-255m-attacks-detected\/\" target=\"_blank\" rel=\"noopener\">State of Phishing report<\/a> from security firm SlashNext claims that there were more than 255 million phishing attacks in 2022, a 61% increase from the year before. Luckily, according to the <a href=\"https:\/\/www.phishingbox.com\/downloads\/Verizon-Data-Breach-Investigations-Report-DBIR-2022.pdf\" target=\"_blank\" rel=\"noopener\">Verizon Data Breach Investigations Report<\/a> for 2022, only 2.9% of employees click through from phishing emails, but with hundreds of millions of email addresses targeted, the raw numbers are still high. We\u2019ve been noticing\u2014and hearing from clients\u2014that phishing emails are also slipping through spam filters more than in the past.<\/p>\n<p>To help you avoid falling prey to phishing tricks, check out our example screenshots below from real phishing emails, complete with annotations calling out the parts of a message that give it away. All phishing emails are trying to lure you into clicking a link or button to a website that will encourage you to enter your password or other confidential information. Once you realize that a message is a phishing attack, you won\u2019t get suckered into clicking a link or revealing your personal information.<\/p>\n<h3>Fake Password Expiration Scam<\/h3>\n<p>Our first example is a password expiration scam\u2014it\u2019s trying to get you to click a button to keep your password from expiring. What\u2019s ironic about this scam is that passwords should never expire\u2014forcing users to change them regularly is terrible security practice. If a password is strong and unique, there is no reason to change it unless the site suffers a breach. Let\u2019s look at what identifies this message as a phishing attack.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-9717\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails.png\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" srcset=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails-3.png 980w, https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails-4.png 480w\" alt=\"\" width=\"1024\" height=\"848\" \/><\/p>\n<ol>\n<li>Note that the Reply-To address is generic and doesn\u2019t match either the email domain used throughout the message or even a major email service provider, which would never send such a message.<\/li>\n<li>Using your email address instead of your name is something scammers do to make the message seem personalized. If this email really came from your IT support staff, they\u2019d be more likely to use your name or leave the email address out. And they\u2019d never send such a message either.<\/li>\n<li>The body of the message uses likely words, but they don\u2019t quite sound like a native English speaker wrote them. The phrasing is slightly off, and quoting words like \u201csend and receive\u201d while not quoting the button name feels strange.<\/li>\n<li>Be careful of things that look like buttons\u2014we\u2019re trained to click them without thinking. In many email apps, you can hover the pointer over a button or link to see where it will go. If you look at the URL at the bottom of the window, you can see that it\u2019s completely different from any other domain listed\u2014a clear sign that this is a phishing message.<\/li>\n<li>\u201cSee full terms and conditions\u201d is a strange thing to say in a password-expiration message. What terms and conditions could possibly apply? This is an example of someone who\u2019s not a native English speaker throwing in random phrases they\u2019ve seen elsewhere.<\/li>\n<li>The copyright line is a similar tell. No organization would go to the effort of claiming copyright on a simple support message, and even if it did, it would use its name, not \u201cEmail server.\u201d<\/li>\n<\/ol>\n<h3>Spurious Account Access Scam<\/h3>\n<p>Our second example pretends to be alerting you to a sign-in to your email account, with the goal of trying to scare you into resetting your password. Frankly, this phishing email stands a good chance of fooling people. You have no way of knowing if your account has been compromised, and if it were compromised, resetting your password is the right thing to do. However, <i>never click through from an email to change a password!<\/i> You can\u2019t tell if you\u2019re on the right site. Instead, navigate to the site manually, log in, and then change the password. Persuasive though this message is, it does make some mistakes.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-9715\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails-1.png\" sizes=\"auto, (min-width: 0px) and (max-width: 480px) 480px, (min-width: 481px) and (max-width: 980px) 980px, (min-width: 981px) 1024px, 100vw\" srcset=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails-5.png 980w, https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails-6.png 480w\" alt=\"\" width=\"1024\" height=\"878\" \/><\/p>\n<ol>\n<li>The capitalization of \u201cMail\u201d in the Subject and this line should give you pause. Most people wouldn\u2019t capitalize the word, or they\u2019d refer to something more specific, like your \u201cGmail\u201d or \u201cOutlook\u201d account.<\/li>\n<li>Another slight strike against this message is the specificity in the timestamp. There\u2019s no reason to include the seconds or the time zone, and most normal people wouldn\u2019t.<\/li>\n<li>There are three mistakes in this line that could tip off a savvy Internet user. It claims to provide the IP address from which the sign-in occurred, but real IP addresses are four sets of numbers from 0 to 255. This one has five sets of numbers, the first of which is way too high at 719. The missing space before the parenthetical makes it look wrong, and finally, the parenthetical claim that the IP address is located in Moscow is overdoing it by invoking scary Russian hackers.<\/li>\n<li>Note that the \u201creset your password\u201d link doesn\u2019t have an underline, unlike the other two links. Again, that could happen in a legitimate message, but it\u2019s another slight tell. Hovering over the link reveals the fleek.ipfs.io URL at the bottom\u2014clearly nothing associated with your email account and a dead giveaway.<\/li>\n<li>A line saying \u201cPlease do not reply to this message\u201d is commonplace in transactional messages, so it makes the message seem more real, but a real warning from an IT department would want to make sure you could contact the support staff.<\/li>\n<\/ol>\n<h3>Fraudulent DocuSign Confirmation<\/h3>\n<p>Our final example pretends to be confirmation of a document that you\u2019ve already signed in DocuSign. That\u2019s more clever than trying to get you to sign a document (which we\u2019ve seen in other phishing messages) because most people won\u2019t sign something without looking at it carefully. But you might want to see what document this message is talking about and be suckered into clicking through. What\u2019s trickiest about this message is that it has merely changed some of the text in a real DocuSign message, so someone familiar with DocuSign might think it was real. But there are always giveaways.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-large wp-image-9716\" src=\"https:\/\/macworks.com\/blog\/wp-content\/uploads\/2023\/03\/a-practical-guide-to-identifying-phishing-emails-2.png\" alt=\"\" width=\"935\" height=\"1024\" \/><\/p>\n<ol>\n<li>The Subject line of this message is a tell because its grammar is atrocious.<\/li>\n<li>The Reply-To address should also ring warning bells because it\u2019s so generic that it couldn\u2019t possibly go with an organization with which you were signing documents.<\/li>\n<li>The yellow line claiming that the email has been scanned for viruses will likely seem unusual to you\u2014even if an email app presented such a message, it likely wouldn\u2019t do so in the body of the message.<\/li>\n<li>There\u2019s nothing wrong with the View Completed Documents button, which looks exactly as it would in a real DocuSign message. However, hovering over it reveals the URL at the bottom, which has nothing to do with docusign.net.<\/li>\n<li>Someone familiar with DocuSign messages might notice that there\u2019s no email address under \u201cAdministrator,\u201d as there should be. But that\u2019s a long shot, we know.<\/li>\n<li>As with an earlier example, personalizing with an email address is a definite tell. A real person would have entered your name there, if anything.<\/li>\n<li>Once again, the phrasing isn\u2019t what a native English speaker would say, but even more problematic is how it asks you to sign the enclosed file, whereas the text and button in the blue box say that the document is completed. The mismatch is a complete giveaway.<\/li>\n<\/ol>\n<p>We didn\u2019t have room to show the rest of this message, which adds to the verisimilitude by continuing to copy text from a real DocuSign message. The two remaining tells further down are links that are empty when you hover over them and an unknown name in the fine print at the bottom, which reads (bold added for emphasis):<\/p>\n<blockquote><p>This message was sent to you by <b>sefanya maitimoe<\/b> who is using the DocuSign Electronic Signature Service. If you would rather not receive email from this sender you may contact the sender with your request.<\/p><\/blockquote>\n<h3>Overall Advice<\/h3>\n<p>Let\u2019s distill what we\u2019ve seen in the examples above into advice you can apply to any message:<\/p>\n<ul>\n<li>Pay close attention to emails that are very simple, like our second example above, because there\u2019s less they might get wrong.<\/li>\n<li>With legitimate-looking messages copied from large firms like DocuSign or PayPal, pay special attention to unfamiliar names and email addresses.<\/li>\n<li>Don\u2019t click anything in an email unless you\u2019ve given it a close-enough look that you\u2019re sure it\u2019s legitimate. It\u2019s too easy to skim and click without thinking, which the scammers count on.<\/li>\n<li>Read the text of messages with an eye for capitalization, spelling, and grammatical mistakes. Scammers could write correct English, but if they don\u2019t speak the language natively, they\u2019re likely to make mistakes.<\/li>\n<li>Evaluate any claim about something happening within your organization against what you know to be true. It\u2019s always better to ask someone if passwords need to be reset or accounts are being deactivated instead of assuming a random email message is true.<\/li>\n<li>Fight the urge to click big, legitimate-looking buttons. They\u2019re easy to make and hard to resist, but if you can preview the URL under one before clicking, it will often reveal the scam.<\/li>\n<li>None of our examples fell into this category, but if an email message is just an image that\u2019s being displayed in the body, it\u2019s certainly fake.<\/li>\n<\/ul>\n<p>Stay safe out there!<\/p>\n<p>(Featured image by iStock.com\/Philip Steury)<\/p>\n<hr \/>\n<p>Social Media:<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phishing is becoming an ever more common way for people to get in trouble when using the Internet. A phishing attack is some communication, usually an email, that tries to lure you into revealing login credentials, financial information, or other confidential details. A State of Phishing report from security firm SlashNext claims that there were [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":8576,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,69,106,112,185,104],"tags":[],"class_list":["post-8575","post","type-post","status-publish","format-standard","has-post-thumbnail","category-apple","category-apple-consulting-ct","category-apple-support-ct","category-mac-support-ct","category-mactech","category-security"],"_links":{"self":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/8575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/comments?post=8575"}],"version-history":[{"count":1,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/8575\/revisions"}],"predecessor-version":[{"id":8580,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/posts\/8575\/revisions\/8580"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media\/8576"}],"wp:attachment":[{"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/media?parent=8575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/categories?post=8575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.macworks.com\/blog\/wp-json\/wp\/v2\/tags?post=8575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}