Originally published at: An Annotated Field Guide to Identifying Phish - TidBITS

Phishing is one of the main ways that attackers breach corporate systems and compromise individual accounts. Follow along as Adam Engst walks you through six representative phishing messages and explains what aspects of them should trigger warning bells.

Coincidental article timing for me.

As it happens, the last couple of months my outlook.com email account is getting endless phishing emails daily (10-20 throughout the day) from similar sounding sources (eg’s. one is “m ic ro soft” type things, another is various suppliers of air fryers I apparently keep “winning” and need to claim ASAP, or shipping to pay for [the obvious ones around at the moment]!). They’ve been driving me nuts.

Regardless of whether they arrive into my Inbox or into Junk, I keep going to the Outlook email website, and marking them as ‘Phishing’ in there for the last couple of weeks in an attempt to get Microsoft to notice them and perhaps do something, but they don’t seem to be curtailing them at all.

Aaaraaagh?!?

In November and December I got loads of obvious phish, mostly thru my ATT/Yahoo account. When my wrist got tired of swipe-Delete I decided to create filters. These have been great for repetitive patterns (many emails offer the same product or service) but there have been 2-3 dozen different types of phish to “fry.” Most of this problematic “school” have swum off somewhere else but I realize that security requires this “Old Man and the Sea” to maintain constant vigilance. Thanks for your basket of fresh tips, Ace!

I wonder if Chat AI will help construct more readable text in future phishing attacks

Since I access email through a Web interface (mail.yahoo.com), as many other folks do, it is instantly obvious that any claim that my email software is (or is about to become) outdated must be coming from a phisher. AT&T manages and maintains the Web interface without any intervention on my part.

This may be somewhat tangential, but I’ve recently been getting phishing attempts via Apple Messages, purporting to be from UPS or USPS, and telling me that they attempted delivery and were unable to deliver and I should click a link to reschedule or arrange pickup.

Like Adam’s examples, these are pretty easy to spot due to poor use of English and the fact that they said they attempted delivery at 3am. Never mind that I hadn’t ordered anything or was expecting any deliveries. Trashed the text and blocked that sender.

I don’t know how the scam is supposed to work, but presumably they looking for personal data to use in other scams. Beware.

Names and email address munged- I am ABCD

On — 2022, at 6:53 AM, JKLM@xyzt.com> wrote:

Hi, Let me know you got my email.

On – 2022 at 7:00 AM ABCD@bigmail.com> wrote:

Yep - got it a few minutes ago-

ABCD

On 2022 at 7:03 AM

JKLN@qrst.com wrote

Re favor request

I’m so glad I got your email
actually I’m trying to get a google play
gift card as a birthday gift for my (family member) . It’s his birthday but i can’t do this now because I’m currently
OUT OF TOWN and the stores around here are out of stock and i tried purchasing online but unfortunately no luck with that.
Can you get it from any outlet around you?
I’ll pay back as soon as I am back? Kindly let me know if you can handle this?

Await your urgent email.

Thanks JKLM

++++
NO I did not fall for it, and later got ahold of JKLM since it was NOT something they would do .

But note just how fast I got the response-phishing email

The rest off the story follows; ( cliff note version-) after several hours of background work, checking ip etc plus comm witha a few others.

1)JKLM and myself are casual friends in a retirement community rarely comm via email
2) Others had gotten similar from JKLM

3. JKLM was unaware

4. Turned out one of the others who had gotten similar had previously had their Outlook contacts hacked/phished and had been in normal email contact with ABCD and some of the others who had gotten similar to myself.

5. Retirement communities are superior phishing grounds

As far as I ( we) have found out so far, no one fell for the scam.

Suggest that those who have relatives in similar communities take the time to notify, explain, and suggest they use two or three emails, some for only significant stuff and one for casual conversations

One thing I’ve also seen is phishing through Facebook. This provides an advertisement for a company with a special sale. The link takes you to a website that is definitely not associated with the real company, and has excellent prices, like 80% off. I assume that if you buy something that it wont actually buy anything but record credit account details or PayPal, which will then be used to perform fraudulent transactions.

While I was writing that, got a text informing me that my mobile phone number had changed at a bank, that I don’t have a relationship with, and asking me to ring a number.

With regard to the ‘Paypal’ phishing email, last November I received the following text in an email that appeared to come from PayPal:

Hi Peter [& my real surname],
DEVONIA ROSS sent you a money request

NOTE FROM DEVONIA ROSS:

ALERT: SUSPICIOUS ACTIVITY ON YOUR ACCOUNT AMOUNT £989. 99 GBP DEBITED FROM YOUR ACCOUNT, IF YOU DIDN’T AUTHORISE THE TRANSACTION CALL US AND STOP THE PAYMENT IMMEDIATELY @+44-800-260-5986

This was followed by a very long Pay Now link! I was sure this was a phishing attempt, although examination of the real headers didn’t show any telltale signs such as .ru domains! However, rather than just trashing it or reporting it to SpamCop I separately logged in to my Paypal account, only to discover that the payment request had indeed been made, but when I clicked on the Cancel button after my independent login it merely threw up an Error code, causing mild panic, so I rang the number given, +44 800 260 5986. The man who answered, in what sounded like a busy Indian call centre, instead of promptly cancelling the fraudulent payment request asked me ever more ‘security’ questions requiring full details of both my bank cards linked to my Paypal account, expiry dates and even the CVV numbers from the back, and still this wasn’t enough, he wanted my place of birth and my mother’s maiden name. After 32 minutes I was so suspicious of these questions and lack of action in cancelling the payment request I disconnected, rang my bank and cancelled both payment cards. At one point in the call to Paypal we were disconnected and I was rung back. Could the return call have been from a scammer? It sounded as if from the same Indian call centre.
Three hours after the large payment request was made a mysterious credit of $1.26 was made into my account, from someone else I had never heard of. This had the effect of blocking my attempt to close my Paypal account until I reversed this transaction. I was able eventually to cancel the payment request online and close my Paypal account. Has anyone else been asked such a large number of ‘security’ questions by Paypal? I then changed my email password as a precaution as I could not understand how such a payment request could have been possible to make and I think it incredible that Paypal should simultaneously flag up a suspicious payment request while incorporating into the warning email a Pay Now link for that payment!

Thank you to Adam for such a thoroughly researched and useful article about phishing emails.

I have yet to see a single corporate email that would actually require clicking on a link in the email. Actual corporate email that requires action for me always means I can trigger that action by going to that company’s website, logging in on their user portal, and then triggering the action from there. That way it’s me who initiates the communication and I know who I’ve gotten in contact with.

I’m tempted to claim there are no legit corporate emails that would require you click on anything within that email.

I do get legit emails with embedded links. But they’re usually from colleagues at work (or perhaps friends/relatives) linking to a document on our Google share or some other internal document managing system. Those emails are from known colleagues, usually come expected or at least with accompanying personalized body text that make them credible, and look entirely different from any corporate or phishing type email.

Good article, @ace. Appreciate the examples and advice.

Another clue to phishing can often be seen by looking at the link addresses of the sender, reply to, and embedded links, as can easily be done in Apple Mail.

Another example is receiving emails from people you know with their suggestion to click on an embedded link. Even though the ‘friend’s’ name appears in the From field, inspecting the From link is usually a giveaway. Another clue, often used, is a list of other people in the cc: field, some of whom you may recognize as friends of the alleged sender. I figure this is an indication the real sender’s email has been hacked and the spammer is sending the email to everyone in the sender’s address book… time for the real user to change their email password…

This is certainly true, however, everybody should keep in mind that the From: in any email can easily be spoofed. And by easily, I mean pretty much anybody equipped with the right email client and SMTP server. It does not require any fancy “hacking” whatsoever. In fact many people do this routinely because they choose to send email from one account but supply their From: as coming from the other.

So always be suspicious of what is says under From:.

If you inspect the header and follow the SMTP path of an incoming email, using simple tools such as nslookup or host, you’ll easily recognize when Uncle Will’s email that claims to be coming from his Google account actually originated from freepornXXX169 registered in Russia.

Just saw this bit of news:

When I worked for a corporation that sent emails to its customers, this was policy. No clickable links to pages that required authentication. We also sent PSA emails from time to time informing our customers “XYZ Bank will never send you an email with a login link”. Can’t say this is followed 100% by other companies, but it does seem to be followed pretty broadly, especially among larger ones.

Identifying Phish

And here I was intrigued that Adam choose to focus on a rock band and how to identify something about them? I thought it had to do with the various iTunes/Music/Apple Music discussions going on. (The band came before the scam: Wikipedia: Phish is an American rock band formed in Burlington, Vermont, in 1983.)

Simon, thanks for the enlightening edumacation on the matter. Sure is the wild, wild, west out there. Gratefully, I’ve acquired a bit of a ‘spidy-sense’ and am pretty cautious about taking the bait from phisermen.

Cheers

The best way to fight phishing attacks is to a password manager like 1Password and use it.

You can’t use clues any more. Phishing has gotten good. Phishing attacks will use misspellings like replacing an “m” with an “rn”. https://amex.com looks very similar to https://arnex.com. Or even get a security certificate. Sometimes Cyrillic characters that look like Latin characters are used in domain names.

However, if you go to a website, are asked to log in, and 1Password doesn’t automatically fill it in, you’re being phished.

I had the same feeling, Jack. Followed closely by “Hmm, “phish” as a noun, but not referencing the band, that is suspicious syntax, it might not be from TidBITS.”

This isn’t always true. I have several sites where I’ve set up an account, but the login uses a different URL (like login.account.com or some such variation) so 1P won’t automatically fill in the password. I have to choose it manually from within 1P.

I suppose I could set up a duplicate entry in 1P with the secondary URL, but then if I ever change the password I have to remember to do it in both places. (And most of the time my login is via FaceID, so it’s not an everyday hassle.)

If the 1Password URL is https://login.foo.com, 1Password won’t automatically log in unless the url is https://login.foo.com. However if the 1Password URL is just https://foo.com, 1Password will automatically login if the URL is https://foo.com, https://login.foo.com, or https://admin.foo.com.

When I create a new password, I’ll make sure I make the URL to the base URL with no subdomains.

You can add multiple URLs in 1Password. For example, 99 Percent Invisible can be either https://99percentinvisible.org or https://99pi.org.