How to detect email phishing the easy way

Last Updated on Wednesday, 9 November 2011 10:56 Written by jsconners Friday, 4 November 2011 05:14

Bookmark and Share

Phishing can be tricky to detect sometimes and spear-phishing a more targeted version is even more insidious. An easier way to recall what to look for is to memorize this phrase:

“SEALs eat Phish”

What the heck does this mean your asking yourself…allow me to explain…SEAL is an acronym for the identifying traits of a phishing attack:

“S” is for “Sender”

While reviewing emails start with the sender. Keeping in mind that sender “display name” is easily faked, you can quickly spot senders which definetly match the definition of “suspicious”  when you see senders like “Mary” (first name only) or “CanadianMeds”. Also, notice peculiarities like “Jake Smith ([email protected])” as the display name. Notice here that display name of the person outside the parenthesis may be someone you recognize but the purported email address is gibberish.

If you still think that the message may be important and safe have a look at the Internet Headers and see where it originated from (refer to our posts here for guidance). And hey!…you can always pick up the phone and ask uncle Jake if he sent you an email matching this description. If it seems bogus just delete it, if someone cares enough they will try to get a hold of you again.

“E” is for “Expectation”

If the sender passes muster, read the message and ask yourself “What does the sender expect me to do based on this email?” Email based attacks are trying to use social engineering techniques to gain your trust and get you to do something like click a link to visit a hostile site, view some spam advertising or open an attachment. If it seems suspicious then it probably is better to delete it and not take any action.

“A” is for “Attachment”

One of the most common attack vectors is attached items like PDF and Word documents as well as executable files (thiose ending in “.exe” for instance). These should send up red flags immediately. I always run an attachment through several rounds of multiple scanning engines like those hosted by http://www.virustotal.com and even then, I tend to open up Notepad or TextEdit  (on the Mac) to see if I can read the text strings in it without executing it in Word for instance where code can execute.

“L” is for “Links”

This is the most prolific attack vector by far. Lots of folks are becoming aware of attachments but links are still SOoooo tempting for people to click. Often they lead to spam sites but so called “drive-by” malicious sites are on the rise. These exploit unpatched web browser and deliver a malicious file called a trojan dropper to your machine which leads to malware infection. Links can be verified using services like http://www.urlvoid.com/ which will scan a URL (link) to determine if it is malicious or not. Note: ensure you are getting the actual link “target” and not the “display text” which are two different things. A comon technique is to create a link that says “Wally World Holidays” (for instance) which actually sends you to a phishing site. You can right click and choose “Copy Link Address” in Windows and paste that URL into the link scanning service.

Hope this works…with a little mindfulness, you will be “catching way more phish”!

Comments?

Tags: , , ,

This entry was posted on Friday, November 4th, 2011 at 5:14 pm and is filed under Phishing Detection. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply