How can we tell if an email message is a phishing attempt?

Frequently Asked Questions General | email | phishing | mail | spam
This article explains how you can check certain aspects of a PHISHING email message.
2
by Mihai BobriucViews 685Updated now 1 yearPublished 09/11/2022

There are various challenges in the online environment that you can overcome with flying colors if you have some information at hand to quickly identify them.
Phishing is an attempt to defraud various personal information, using various methods of impersonation (false identity).
At certain times on the Internet, certain phishing campaigns are generated by attackers, usually through carefully crafted email messages, with the aim of obtaining customers' personal banking information or logging into various platforms that the attackers assume you are using.
It is necessary on the part of the clients to be vigilant, tune in and analyze very carefully the type of message they receive.

Common mechanism of manifestation:

  • Usually the text of the phishing messages is created in a form of "urgency", to put you in a difficulty, to act quickly for the so-called "resolution" of the situation.
    - Phishing messages may mention the need to (urgently) update your personal data on a specific website or link;
    - They use the visual identity of a bank, program or services that you are supposed to use;
    - The message content is visually and textually similar to a legitimate message from the entity the attackers are actually impersonating;
    Pay attention to these things in the email message you consider suspicious:

1)  Email address: From (sender)
This address may appear to be from a legitimate sender such as:
- A banking institution;
- A contact you know;
- An online service from the server (control panel, email service, etc.);
- A national/international service company (gas, electricity, telephone, internet, etc.);
- An online store selling products and promotions;
- A social network;
2) Email address: Reply To or Return-Path (the recipient of the reply):
This address (address of the attacker) will be different from the sender, it is a red flag in this case.
The address will always be displayed in the additional information in the message headers.

You will be able to view the headers using the options provided by the email client used. Generally you will search for the following keywords: Headers, View Headers, All Headers, View Source. For example, in the case of the Thunderbird application, click in the top left on View -> Headers -> Then click on All, to see the complete headers of the message.

Inside the headers, the fields for returning the message to the sender (attacker) are usually the first ones from the top, having the text of the type: Return-Path: or Reply-to: 

If you notice differences in the email address (check letters) between the fields: From / Envelope-from  and those of: Return-Path or Reply-to, that message is very likely to be phishing.

The real sender - the attacker in this case is the one who sent the phishing message, not the impersonated "firm/company" from the 1).

3) Links in the form of buttons or text inside the message:
Those links in a phishing message can open pages that look like real ones.
They may open and display a login form or fill in personal details.
4) Attachments in the message may contain various files with legitimate or apparently/visually known but infected extensions.
Once opened, attachments can automatically run instructions, open pages or links, and further download viruses.
5) Any other elements in that email message that raise your suspicions.

 

Recommendations:
* We recommend that you do not open emails from unknown sources, do not access links in those messages and do not open their attachments.
* Filling out personal information in phishing forms or pages always results in willingly handing it over to attackers for their own use.
* If, however, you have already filled in your personal information and submitted it through that fake form or page, we recommend that you change your password for that service in question.
* If you are not sure about the authenticity/legitimacy of that message, you can ask for a second opinion from Hostico consultants in the technical department.
* We recommend that you also regularly consult the articles created and updated on the page of the National Cyber ​​Security Directorate (DNSC / CERT-RO).

Similar Articles

1
Do you offer SSH access ?Frequently Asked Questions Technical | ssh | access | hosting
Find out if we offer SSH access!
by Ana RednicViews 632Updated now 1 yearPublished 25/10/2018
What does safelisting mean, and how we activate it?Frequently Asked Questions Email | safelisting | e-mail | email | gmail | yahoo
In this article we will explain the term safelisting, and how it is activated on different e-mailing platforms
by Mark DohiViews 939Updated now 1 yearPublished 06/04/2022
How can I rebuild my domain reputation in GMail?Frequently Asked Questions Email | mail | gmail | spf | dkim | dmarc | cpanel | spam
This article explains how to restore a domain's reputation if GMail messages arrive or are seen as SPAM.
by Mark DohiViews 891Published now 2 yearsPublished 06/04/2022
I have reached the space limit, what to do?Frequently Asked Questions Comercial | space | hosting | upgrade
Find out why you've reached your space limit and what to do about it.
by Mihai BobriucViews 730Updated now 1 yearPublished 06/12/2018
I received an email from ROTLD regarding the maintenance fee. What does this thing mean?Frequently Asked Questions Comercial | rotld | domain | tax | invoice | payment
.ro domains have undergone changes in the past regarding the maximum registration period.
by Mihai BobriucViews 686Updated now 1 yearPublished 30/08/2018