How to detect phishing emails in the future?

Question

My main tactic (amongst others, see related questions) of how I detect phishing emails are through the use of the obviously wrong sender domain.

I see a trend that big companies start to use dedicated domains for their services such as facebookmail.com or encourage us to click on links such as https://epl.paypal-communication.com. I just received an email from microsoftadvertising.com. So we are being "re"-trained to trust domains other than the official ones.

How do I detect spam/phishing emails in the future when bad folks start sending perfect phishing emails that pass SPF/DKIM/DMARC, have legitimate account information, use no grammar mistakes, use good/original CSS/HTML/JS, and more? So when it boils down that from my perspective, the only way is to extensively search for whether the sending domain belongs to the authoritative company?

Related questions:

• Should big companies publicly list their legit emails and links?
• Phishing emails - What do I look for?
• Why would PayPal send messages from another domain?

Answer 1

That is a fantastic question. Unfortunately, there is no "silver bullet" answer to it. The more well-crafted a phishing email is, the more difficult it becomes to detect for the average user. However, the are some red flags, which almost always indicate a phishing or scam email:

Typos and poor grammar

This is by far the most obvious sign that something is a phishing email. It doesn't mean an email with correct grammar is therefore legit, but it almost always means an email with poor grammar is not. For example, compare the following two paragraphs:

Dear Emanuel Graf,

PayPal has detected unusual activity on your account. We believe that your account may have been compromised by a malicious third party. To prevent further compromise, we have locked your account. Please contact our customer service in order to reinstantiate your account. [...]

compared to

Dear customer

paypal has detected that there was straneg activity on you're account. it's because your account has been hacked! You have to contact us immediately or you're account will stay locked. [...]

It is indeed very unusual for a legitimate business to have typos or grammatical mistakes in their official emails.

Lack of specific information regarding you

Legitimate companies, whom you deal with, will always know your real name, or at least a pseudonym, which which you have registered. They will usually use that when communicating with you.

On the other hand, scammers and other malicious parties usually don't have that information and address you as "Dear customer" or in similar generic terms. Or, they may forego addressing you and just cut to the chase ("Your account has been hacked!").

This is very common with phishing emails pertaining to delivery services, especially around Christmas, when lots of people buy presents online and a lot of people are expecting packages. So an email saying "Dear UPS customer, there has been a problem with one of your shipments" may seem quite plausible to a lot of people at first glance.

Urge to act now

Scammers usually put tight deadlines on you and tell you to act now or else something bad will happen. They may tell you that your account has been hacked, and if you don't act now, the hacker will take all your money. Or they tell you that a package is waiting for you, and if you don't pay up now, then they will throw it away.

This should put the victim into an emotional state (fear of losing money), causing them to forego all caution and act now, instead of thinking about it logically and recognizing it is a scam.

---

Aside from this, there are some things you can do to check, whether an email is legitimate or not.

1. Contact customer service through the known, legitimate website of the service.

   For example, if you are unsure whether an e-mail from who claims to be PayPal is legitimate, you can call their customer service and inform them of the e-mail you have received. Either, they will tell you that it is indeed legitimate, or they will tell you it's not (and they may ask you to forward the email for inspection to one of their e-mail addressed).

   It's important that you contact the service through a known, trustworthy channel. That means, don't call a phone number, which was listed in the e-mail you have received. Call the phone number, which is listed on the website of the service.

2. Search whether the domains listed in the e-mail belong to the company in question.

   For example, "paypal.com" and "paypal-communication.com" are both registered to "PayPal Inc.". While that's not a certain way to know whether it's legit, it's more likely that it is legit. It also helps to check, whether the company lists this domain as one of theirs somewhere.

How do I detect spam/phishing emails in the future when bad folks start sending perfect phishing emails?

Unfortunately, there is no way for you to be 100% safe. However, judging from phishing e-mails in the past, scammers and phishers are usually rarely interested in catching "high awareness" targets, but rather, from getting the "low hanging fruit". That means, people with poor understanding of technology.

Put yourself in the mind of a criminal: Why would you invest a long time to perfectly forge an e-mail by PayPal, when you can just call random seniors and claim to be their nephew and that you really, really need some money or else you'll lose your apartment.