Is there any definitive way to tell if an email is a phishing attempt?

Question

Is there any definitive way to tell if an email is a phishing attempt? What cues should the "average computer" user employ to detect a phishing email?

Answer 1

There are a number of both technical and non-technical ways that someone can identify a phishing attempt.

• Communicate out of Band. The easiest reliable way is to communicate with the proposed sender out-of-band. Call them, send them a what's app if applicable, signal, whatever. If an organization or an individual didn't send you an email they can tell you over the phone. Just remember to use a phone number that is not included in the email.

• Proofreading - Much of the spam, even a lot of spear phishing, is very poorly written. Poorly constructed sentences and spelling errors are pretty good indicators of Spam.

• Hovering over links - Phishing links will typically be "obfuscated" to look like they link to a login page. For instance the text may be https://login.facebook.com however when you hover over the link you notice it's some long verbose domain name. Tell-tale phishing.

  EDIT : As Mehrdad and Bacon Brad have pointed out this method may provide mixed results. Links can be used in a variety of attacks such as CSRF / XSS attacks, and the link provided may also lead to an authorized third party.

• Email Headers - Perhaps one of the more tech-savvy way of telling whether or not an email is legitimate is by looking at the E-mail Headers. E-mails contain metadata that states where emails originated from. You can usually tell by looking at the email header if an email originated from an authenticated source with these headers. Note that this is not foolproof as many organizations may outsource mail campaigns, but email coming from a private IP address could indicate a phishing email.

• Macros - Does the word doc you've just been sent state you need to enable macros in order to see the document? Don't you go doing that.

• Social Engineering - Many phishing email tactics will play off human emotions and employ many well known Social Engineering techniques. Statements like "You must click on this link and re-activate your bank account within 24 hours or your account will be closed" are meant to make the receiver panic. When we panic we make illogical decisions. If you feel an email is playing off your emotions you might be getting phished.

• Is this normal behaviour? - Institutions are well versed in the ways of phishing and as such they are not going to ask you to click on embedded links in an email to "reset your password" or "confirm your account". If your spidey sense is tingling, probably phishing.

In my experience there is no one silver bullet in dealing with phishing. During penetration tests spear phishing always works. The above information will help you spot attempts to phish you, but the easiest and most efficient way to confirm or deny a phishing attempt is to call the "sender" to confirm if it's legitimate.

Answer 2

Does it ask you to do something that you should not do without authenticating the identity of the party who is asking you to do it? (Note that "entering a password" is such an action!) If so, you can effectively treat it as phishing regardless of the sender's motives, since email is not authenticated and thus is not a suitable means of requesting a privileged action.

Answer 3

There is no perfect way to identify phishing emails, in the sense of a procedure that always successfully tells you, for any email, who sent it and why. In practice, a very large majority of actual phishing emails are fairly easily identified as such, because they're mostly quite half-assed. Some of them don't even make it to your inbox, because they're so blatantly fake than even your email provider's filter has spotted them. But there's no "definitive" set of features of the email that are possible to check every time.

Instead of trying to determine whether or not emails are phishing attempts, you should avoid taking any action that relies for its correctness on whether or not the email you received is a phishing attempt. That way you don't need to be able to tell the difference.

For example, even if the email you just received is really from your bank, still don't click on links in it and then type your login details. Instead go to your bank's site by typing a URL you remember, or using a bookmark. Then log in, and then look for a way to navigate to where the email told you to go. As a last resort because your bank's site is awful, after logging in you could use the link in the email but do not log in again at its destination, or give up any other sensitive information. But do beware that there are attacks other than phishing, which you could expose yourself to merely by visiting a malicious page and without giving up any sensitive information.

This works for the usual finance/shopping phishing attempts. Unfortunately there are cases where it is impractical. Suppose a talented spear-phisher, perhaps working for your competitor, typo-squats on a domain similar to your employer's domain, and sends an email that appears to be from your boss, using their actual email footer, saying "what price are we going to quote in the Jenkins pitch?". It's not realistic that every time you reply to a company email (dozens of times a day), you will carefull squint at the address you're sending to, to make sure it's really youremployer.com and not youremp1oyer.com, or yourempIoyer.com or (heaven forfend) youremploуer.com[*]. Your email client may or may not help you, in terms of visually indicating whether or not an email address is already in your personal address book or company directory.

The difference is that your employer, for whatever reasons, has decided that they will use email as their medium for communicating confidential information. Your bank, on the other hand, has made a different decision. The proper channel for sensitive communication to and from your bank is their website, or a phone app, or perhaps by telephone (although do not trust calls purportedly from your bank), or by post for certain things, or in person. So do not trust email that is or appears to be from your bank. Don't even trust it to link to your bank's site. Instead, consider it a prompt to use a channel you can trust.

[*] The first one is easy: digit 1 for lowercase L. The second is a little harder in many fonts: uppercase I for lowercase L. The third substitutes a lowercase Cyrillic Y for the lowercase Roman Y. If your mail client renders it at all, likely you won't be able to tell the difference by appearance.

Answer 4

While many phishing mails are obvious, there is no definite way to detect the more clever phishing. And it looks like the amount of clever phishing is increasing.

There are techniques which might help to find out if the sender is the one he is claiming, i.e. digital signatures, DMARC (which includes DKIM+SPF) etc. But these need to be employed on the sender site and verified on the recipient site - and both is either lacking in lots of cases or is made (unnecessarily) complex.

If the mail claims to be from a sender you already know you might compare the mails with the ones you've received earlier for a variety of features, like same email address of sender, same transport path (received header in mail), same mail client .... Many of these features are only visible in the source code of the mail and many of these require expertise to extract and compare so average users will not be able to do this (apart from lack of time and motivation in most cases).

I recommend to take a look at a recent talk about this topic at the latest Blackhat conference: Ichthyology: Phishing as a Science.

Answer 5

It's so difficult that it's not worth trying.

Yes, there are ways to greatly increase detection. But any of them are beatable by the phishers.

• Broken English - they simply need to obtain a genuine Wells Fargo email and alter the URLs/particulars.
• Received: headers - they simply need to crack any box anywhere within Wells Fargo which can access any official SMTP server.
• Hover links (actual destinations) -- frankly, companies are making these worthless all by themselves, by grabbing random domain names for official content.
• Normalcy and social hacking doesn't come into play if the phishing email looks routine, i.e. "here is your monthly account statement".

I'm sorry. You can't tell them apart. Convincing yourself you can is the surest way to get blind-sided. Because to succeed, you must get it right every single time. They only need to be lucky once.

Getting it right every single time is just not worth the effort when there's an easy alternative.

Just treat them all as dubious and go out-of-band.

I never click links in email from banks. This is long habit.** I treat bank emails only as a tickle to maybe go check my account in a different app, or phone or just walk in.

Now, phone forces you into a reality check: is this message believable or important enough to bother another human with? Do I really need a CS agent to tell me "No, your account is not locked, why would we do that?"

---

** partly, that's because of my platforms. On mobile, I have a dedicated app for my bank, and have no reason to use their Web UI. On desktop, I do my webmail in FireFox, where I disabled Javascript, so I can't click a link as the bank site won't work -- this forces me to switch browsers and navigate. I could copy/paste the click link if I really want to - but I really don't. I mean, I will do that for password reset emails, but I'm expecting those.

Answer 6

There is one definitive way for me, and it didn't deceived me for more than 15 years of receiving a continuous flow of crapware. I am not sure if it will suit every user without a minimum training, but I will give it since it is simple, free and survived many baptism of fire with every new phishing technology.

I just read the full source of headers of any dubious E-mail. By dubious E-mail, I consider also any E-mail coming directly from a known colleague sent from its professionnal address as soon as I see a request I have to check his identity to comply to his request. See the short but striking answer from R..

For exemple, an E-mail from my sister Alice sent from her real professionnal address asking me to make her a Western Union transfer to her postal address in Nicaragua were she was stolen of everything. By looking at the full headers sources I discovered that the first IP address used was a private IP (192.168.1.217) and the first public IP one was in Nigeria. I even noticed that this E-mail was sent with her real account authenticated and I am able to warn her CISO that her password was stolen (through a phishing attack as usual).

With the training to read these awful headers I am able to recognize them within less than 15 seconds, without even to have to check their source IP location.

Answer 7

No, there is no fool-proof way to identify phishing e-mails.

If there were, we would have programmed this way into a piece of software and have it installed on all mail servers and the problem would go away.

There are long lists of clues - other answers do a good job listing them - but the field is always changing and the list is never perfect. Fortunately, most phishing mails are done by amateurs and are trivial to spot with some experience, because most users are easy to fool and thus the creators of phishing mails don't have to do much effort.

However, there are some extremely well done phishing mails, especially when spear-phishing (i.e. targetting individuals, often skilled and educated in IT). Some study ten years ago (sorry, don't remember the link) showed that even IT professionals got well-done phishing e-mails wrong about 30% of the time.

Also note that if you expand considerable efforts establishing what's going on, the scammer has already succeeded in wasting your time. Studying the headers or any other excercises mentioned are for people who don't get 200 mails every day.

Answer 8

On top of the great answers above, something else that gives you a good clue is to right click the links on the page (make sure you don't left click!) and choose 'Inspect Element'*.

If this is a fake email, you'll see some nonsense email address. Ones that I often see start with "adclick.g.doubleclick.net/". You may also get an irrelevant company addresses on what looks to be genuine links.**

Though I'm sure this website is legit, if I have an email telling me to use a link like this to cancel an order then this is clearly a scam.

* This may show up as another similar name like 'Inspect', depending on the browser

** A lack of a suspicious link does not make it a genuine email. See the other answers for more things to check

Answer 9

If the email includes a link, there are some basic checks you can do by opening it in a private browsing window.

Make sure your private browsing window is as secure as possible before starting. At a minimum, make sure your browser is fully updated. You may also wish to disable Javascript, run the browser in a sandbox such as Firejail, or even isolate it in a virtual machine (using VirtualBox or similar).

Now open the link in the private browsing window. Once the page loads, check the address bar. Make sure the hostname (in modern browsers this part of the address is usually darker than the rest) matches the site you expected to reach. The most important part of the hostname (and the hardest for an attacker to impersonate) is the part at the end, from the organisation name onwards. So if the link you've got in your bookmarks is www.facebook.com, then login.facebook.com is probably OK, but www.facebook.example.com or www.facebook.biz is not.

Check that the site has a valid certificate - on most modern browsers, there is a green padlock in or near the address bar. If it's missing, red, yellow, or grey, then you probably shouldn't log into this site, even if you are able to prove it is the correct address.

Next, if the page you reach has a login option, use it, but with non-working credentials. Phishing attacks will typically not make any attempt to validate the credentials you enter, whereas a real site would. If it doesn't alert you that the credentials were invalid, it's probably a phishing attack.

And finally, if you can avoid using the link in the email, then do. If you've got a link to the site in your bookmarks, or you can get hold of a trusted address in some other way, log in using that address instead.

Answer 10

This may be mere pedantry, but no: there is no definitive way to tell whether an email is a phishing attempt.

Suppose that a Nigerian princess was indeed in need of assistance in transferring large sums of money out of the country; suppose further that she had no one else in the world to turn to, and was indeed reduced to sending out email messages to total strangers. In such a situation, a user could receive a legitimate request for assistance from a Nigerian princess, which would nevertheless be identical to a classic phishing message.

(A non-pedantic application of the above example would be to ask yourself whether you are more bothered by false positives or false negatives, which will inform how strict a filter you implement.)

Answer 11

Not in the generality like you're asking. And the problem are not alone the phishing mails. Have a look at mails from legitimate senders like twitter, amazon, paypal and others.

Many of them use bad practices. Linking https://mysite to https://mysite-mailtracking.com/asdf, using complicated HTML in the mail, using different domains as main service domain, mail sender domain and domains they mention in the mail and put a lot of information in images instead of text.

When you want to test it as an expert who wants to see how they are phishing, a method would be "click in a secured browser, watch to what domain you're redirected and if this matches the form you get when you manually login and open the form". But that's nothing to suggest to a user, who falls for much simpler stuff.

So the reasonable advice here: Ignore anything in the mail but that something happend and login with your browser like you do everyday. Most services will tell you what the mail wanted you to know, as users today often use the website/app more often than they read their mails.

Answer 12

A professional security firm can usually determine with near-certainty whether an email is phishing or not. This may not be useful to the average user, but here's how they would do it:

Email origin

Emails contain a series of headers that show the IP address of mail relays. These can be analysed to identify the IP address of the sender. This should be the legitimate organisation. If it's a ToR exit node, that's highly suspicious.

There are scenarios where the origin is inconclusive, such as a third-party mail provider. In that case, the company would speak to the mail provider and legitimate organisation, and could normally resolve this.

They would also look at the source email address, and maybe check the outgoing email logs of the legitimate company.

Email content

Typically a phishing email has a link to a website that is NOT owned by the legitimate organisation and asks for login details. The domain might be deceptive (e.g. mybank-secure.com is nothing to do with myback.com), be a lookalike (e.g. a capital I looks like a lower-case l) or might use an attack like cross-site scripting or session fixation to show the legitimate domain. To deal with all these, the email source would be manually analysed as plaintext, and the ownership of all domains investigated in detail. In some cases this could be a legitimate email using bad practice - but it's best not to enter your details anyway!

The mail may also contain malware. Running anti-virus software on any attachments is a start. But this could be polymorphic or zero-day malware that resists anti-virus. Instead, manual analysis will try to identify anything that looks suspicious. A Word document with an onload macro that creates an OLE object may not trigger anti-virus software - but it is certainly suspicious.

Again, this won't always be conclusive. For some kinds of spear phishing, it may be impossible to distinguish legitimate from fraudulent content. If someone is selling something, and just before payment receive an email saying "actually, send the money here..." - the content alone doesn't help you, you need to check the origin.

---

I've never been asked to do this, but I expect most forensics companies do from time-to-time. In large organisations, sometimes bulk emails are sent to customers without proper authorisation. Perhaps such an email was reported as phishing, then the original organisation needs to work out what happened. If this happens, it shows the organisation has poor controls around customer emails, but that won't come as a great surprise.

Anti-phishing advice

Bookmark the sites you care about - your bank, credit card, etc. If you receive an email from them, don't click that link; instead use your bookmark. This simple precaution defeats the vast majority of phishing attacks.