Phishing Emails – What to Look Out For

Following on from my previous post on how cyber attacks typically unfold, I recently received a classic phishing email. This post is a breakdown of that email to help you recognise phishing warning signs if you're not already familiar.

As a reminder, "phishing" is a play on "fishing" – cybercriminals cast thousands of hooks (emails), hoping one of us (the "fish") will take the bait by typing our username and password into a fake page they control. The "ph" in phishing actually comes from "phreaking" (a blend of "freaking" and "phone"), referring to the origins of hacking in the '70s and '80s when people exploited security flaws in telephone systems to make free calls. This naturally evolved into computer hacking as the digital age progressed.

Here's a real example of an inbound phishing email to help you learn to identify these types of scams.

Spotting Red Flags

The aim of this email is to lure you into clicking on a link that would take you to the cybercriminals' website (designed to look like a legitimate Microsoft security page). There, they hope you'll enter your username and password, believing you're resetting your credentials. Unfortunately, I couldn't get a screenshot of the phishing site itself, as it had already been taken down – a good outcome.

Let's examine the suspicious elements of this email that stand out.

1. Suspicious Sender Address

The email comes from an address outside my organisation, and I have no idea who or what "dankoen" is. This is the first red flag – legitimate security emails should come from a recognisable, internal address.

2. Unusual Message Formatting

The "message 106" detail is outside the usual format you'd see in legitimate emails. Although this attempt is relatively poor, more sophisticated attackers can cleverly disguise email addresses and other details to appear more legitimate.

3. Verifying Email Details

When I'm unsure about an email's validity, I use the "view message details" feature to check the underlying information, revealing the true origin of the email. If you don’t recognise the address as internal, it’s likely a ruse.

4. Misleading Button and Instructions

Another red flag is the button itself. It asks you to reuse your old password, something a legitimate security alert would never do – most systems prevent you from using the same password twice. You’ve probably experienced this restriction before in real password reset processes.

5. Suspicious URL

The third major indicator is the URL (web address) the link directs you to. If the domain isn't your organisation's (for example, www.truffledog.au in my case), it’s a red flag. Even though this specific site was taken down, you can see from the address "eastertonfarm.co.uk" that something isn’t right.

As a side note, this type of phishing attack is likely conducted by hackers who gained access to someone else’s website infrastructure (like eastertonfarm.co.uk) and are using it to mask their activities. It's unlikely that the owners of Easterton Farm are directly involved.

6. Time Zone Discrepancies

Another subtle cue is the sender's time zone, which differs from mine. For them, it's the 7th of July, whereas it’s the 8th for me. This can be a red flag, especially if the supposed sender is from your own organisation and should be in the same time zone.

7. Awkward Wording

The phrasing in the email, like "Email Request - Notice Today," is clunky and unnatural. Real security alerts usually have clearer, more professional wording, without stating the obvious.

What to Do If You Receive a Phishing Email

Instead of just ignoring phishing emails, forward them to your helpdesk team. They can alert others in the organisation to be cautious, reducing the chance that someone else falls for the scam.

Remember, it only takes one person in your organisation to click a link and provide their credentials for a cybercriminal to gain a foothold. Every preventative action, no matter how small, helps strengthen the overall security of your organisation.

Andrew Walker
Technology consulting for charities
https://www.linkedin.com/in/andrew-walker-the-impatient-futurist/

Did someone forward this email to you? Want your own subscription? Head over here and sign yourself right up!

Back issues available here.