10 Red Flags of Email Phishing

What is Email Phishing?

Email phishing is a technique used by digital adversaries to gain access to a target's computer. Examples can be found as early as the mid-1990s and email phishing continues to be a widely used practice to this day. Adversaries will often use social engineering in phishing emails to trick their targets into allowing system access. It can be easier (and more efficient) for a threat actor to gain access through an end user than attempting to break in forcefully.

However, there are ways that individuals without a background in security can help identify potential email phishing attacks. Security processes may offer some level of protection, but recognizing email phishing at the user level is just as important. Let's examine some of the red flags of a potential email phishing attack.

1. The Email Address

Threat actors may compose their phishing emails to appear as if they are coming from an existing contact. You are more likely to open an email and not question its contents if it is being sent from someone you know. However, adversaries can spoof (or fake) email addresses to trick you into granting them access. One way this is accomplished is by slightly adjusting the domain name in senders the email address.

Here is one example;

Organization Name: ABC Tech
Email Sent From: Jessica McCowen
Real Email Address: JessicaMcCowen@ABCTech.com
Spoofed Email Address: JessicaMcCowen@AABCTeck.com

At a brief glance, the fake domain may go unnoticed allowing the email to slip under the radar. While the name of your contact may be legitimate, this alternate domain could be a red flag.

What You Can Do

The first step is to compare the sender's email address against your known contacts. Check your email contacts and/or your company directory to be sure the email was sent from a legitimate contact.

After the contact is verified, compare the email addresses (and domains) for discrepancies. If there is a noticeable difference, report the email to your security team so they may investigate it further.  Another step you can take (after verifying the contact) is to call the sender directly to ask if they sent the email. Performing these simple checks will help keep your email and organization a little safer.  

2. Email Attachments

Digital adversaries can use attachments to deliver malware and other malicious payloads. Almost any type of file can be attached to an email, and most people are programmed to open them. Adversaries may model an attachment to resemble others that were previously sent, such as a resume or an invoice. You should be cautious with attachments and take a few precautionary steps before downloading any documents.

What You Can Do

The first thing you can do is examine the attachment name and file type for any discrepancies. If the name or format of the attachment does not seem to match up, it is better to cautious. After verifying the sender, contact them directly and confirm the time the email was sent, the attachment name, and file type.

Possible Discrepancy Example; DavisSmithInvoice.PDF vs. newInvoice1.Docx?

You should also check that the program icon and the corresponding file extension matches up. Every file has a default icon and an extension indicating the file type, such as a Word document, PDF, or zip file. If the attached file is a Word document but has the extension of a zip file, this could be a malicious attachment. It is unlikely that the program icon and the corresponding extension will not match.

Email Phishing Attatchments

For a standard Word document, the icon extension will be .Docx (or .Doc). A mismatched extension (such as .pdf or .exe) could indicate the attachment is hiding a malicious payload.

3. Provided Links

Most people have opened emails containing a link to a product, an invoice, or to process a payment. Threat actors can exploit this practice to trick you into downloading a malicious payload. If you have clicked a link and you are being asked to “sign in” using your email or social media account, this is a red flag. When receiving a link to an invoice or a downloadable form, it is better to be cautious. Double check that the URL has directed you to the proper location.

Email Phishing Log in

What You Can Do

You can train yourself not to assume every site, or link you visit is legitimate. If a link looks like a Flash Player update but the URL reads www.updateEEE.com, it is better to close the link and not proceed. Anytime you need a software update; it is safer to visit the host site directly to look for your update (such as Adobe.com).

4. Grammar & Structure

The structure of an email can be a tell tale sign that an adversary may be phishing. An email containing missing tenses, transposed words, or over generalities, should be a red flag. You will rarely send an email without the inclusion of a name, company, or specific subject, especially in a business context. If you spot any of these grammatical or structural errors, don’t disregard them, they may be indicators of a phishing attempt.

What You Can Do

If you do not know the sender, the context, or even what the email is directly referring to, you should contact your security provider to examine the email. Security experts can investigate phishing emails to gather valuable threat intelligence about who may be targeting your organization.

5. Enabling Macros

Sometimes a Word document (for example) contains content that is only viewable by “enabling macros.” Microsoft Word will prompt you to perform this action with the notification below.

enable macros document

Adversaries can hide the trigger to activate and run malicious software into this action of enabling macros. This is one-way threat actors can trick you into installing malicious software on your system. In the Kill Chain, this is called “exploitation.”

What You Can Do

If you are receiving a prompt to enable macros, ask the (verified) sender for another version of the file that does not require this action. Again, check the body of the email and the attachment relevancy before downloading anything. You can also contact the sender directly to be sure there is a reason for the macro enablement. Nothing is 100%, but it is better to be safe than assume anything.

6. Malicious URLs

Let’s examine the use of a spoofed or faked URL more closely. If a threat actor wanted to send you a malicious link pretending to be PayPal, they could not use a functioning URL such as www.PayPal[.]com. However, an adversary could use a URL that looks very similar such as Pay_Pal_info[.]com or PayyPall_info[.]com. If you are not paying attention, these fake URLs might pass as the real thing. Attempting to use a malicious link could result in dangerous malware being downloaded onto your system.

What You Can Do

Checking the legitimacy of a URL is not too complicated. You can open a new web browser, search for the company's homepage, and examine URL of the organization in question (PayPal, Adobe, Etc.). If the home page URL is PayPal[.]com, supplementary information or updates will usually stem from this URL (PayPal.com/info). If the link or site provided to you is not following this format, this is a red flag.

7. Personal Information Requests

Information is what threat actors are usually after. Any piece of information obtained can potentially lead an adversary to another point of access. Information like your mailing address, passwords, or account numbers should not be sent over email. Threat actors can use even small pieces of information, such as a zip code, and leverage that information against you.

What You Can Do

You should never provide personal information over email. There are very few exceptions to this rule. If an adversary obtains your personal data, they could pivot their intrusion efforts and target other connections in your network. As a general rule, you should not provide any personal information, account numbers, or passwords over email.

8. Assuming to Know You

An email welcoming you to a new organization or claiming to be “John in sales,” could be an adversary using social engineering. Most of us have experienced the feeling of trying to remember the name of somebody who seems to know us. Digital adversaries can utilize this same approach in phishing emails. You may assume the sender is someone you met in passing as you proceed with trying to assist them.

What You Can Do

You should ask who they are, plain and simple. There is nothing wrong with asking for clarification as to who a sender is, who their supervisor is, or what department they are in. This is especially true if you are new to an organization that may have 100’s or even 1000’s of employees. You should not assume anything and ask for clarification as to who the sender is before proceeding.

9. Lacking Sender or Company Information

An email with a clean and robust signature can trick you into a false sense of security. If you have not heard of the company or the individual, you should not assume that either is real. How many adversaries would go through the trouble of creating a fake name, LinkedIn profile, or company website? The answer may be far more than you may think.

What You Can Do

When researching a company or an individual, you will need to do more than visit their website. Examine their social media profiles including the company and sender LinkedIn pages. Lacking or minimal company information, missing profile photos, and/or low connection counts (usually 10-50) are all red flags. If information is not readily available, chances are the email may be a phishing attempt.

Examples of potentially fake LinkedIn profiles

email phishing fake profile
email phishing Linkedin profile

10. Something Just Seems “Off”

At the end of the day, you know the types of emails and messages you receive on a daily basis. If anything just feels off, you should assume that it is. When emails are a staple of your business communication, you become attune to the various tones that senders have in their emails. If the tone of a sender is usually professional and your next email from them is overly casual, this should seem “off” to you. 

If anything feels off, do not hesitate to confirm with the sender directly or contact your security team to examine a suspicious email. Taking a few precautions could keep your organization from experiencing a serious intrusion that could cost millions to recover from.

In Conclusion

Unfortunately, phishing is not going away anytime soon, so it is better you are prepared for what may come your way. As security professionals, we see the pain these phishing emails can cause on a daily basis.  As much as we want our clients to be protected, we also want them to be informed. Responding to an intrusion is a job for the dedicated security team, but individual efforts can help reduce the likelihood of an intrusion.

Most intrusions still come down to the unintentional actions of individuals. When it comes to spotting phishing emails, watch for these red flags and keep your security team notified of anything suspicious.  In short, taking a little more time examining your emails can help prevent your organization from being the victim of an email phishing attack.

Want to learn more about DigiTrust’s managed security services?  Our experts are always available to answer your questions. You can call us directly at (310) 696-4500 or by using the form below. If you are experiencing an intrusion from a phishing email, click the box to below to learn more about our incident response services.  Thank you for visiting The DigiTrust Group.