How To Detect Malicious Emails

Here's the fun thing about hackers...they don't need everyone to fall for their tricks, because a 0.1% success rate on 1 million emails means 1000 victims. With a bit of practice, they are easy to spot. This year ITS noticed a marked increase in the number of email attacks.

Email attacks have several common elements:

Urgency

Oh no! Something is wrong, fix it! Common scare tactics include:

  • Mailbox is full
  • Password expired
  • Virus infection
  • Test your credentials on our new email server so we know they work
  • Time limit ("do this by tomorrow")
  • Unexpected invoice, even if it's from a legit service like PayPal
  • Subscription renewal or expiration notice (McAfee, Norton, Geek Squad)
  • Request to update bank/direct deposit/wire transfer accounts

Spelling errors/Awkward text

Eventually spammers will hire fluent English speakers, but until then spelling errors, or awkward or unexpected phrasing, can be a tell. For instance if the email comes from "Yourdomainname support" or "IT yourdomainname Portal" with a partial version of your domain name in the sender or subject, does that seem right? Or overly generic? It was probably automated during the spam run. If something seems "odd" about the message, be suspicious.

We have seen a few recently that have no text at all, but attach an image of the invoice. That is one way to get around spam filters, but malicious images can exploit security flaws just like malicious documents.

Links to Strange Web Sites

Consider this link: totallylegitbanksite.com. If you are reading this on a PC, and hover your mouse over the link (without clicking), your browser will show the actual URL at the bottom of the page. Notice it will not take you to (the fictional) totallylegitbanksite.com. For a variation on masking a URL, the URL https://totallylegitbanksite.com@example.com will take you to example.com not totallylegitbanksite.com. The @ symbol tells your browser the text before it is a username for "logging in to" the site.

When you have any doubt, do not click on links in the email. Just type in the web site yourself. If it's a site you use it will be in your browser history anyway so it only takes a few keystrokes.

A Toll-Free Number

Many of these scam emails include a phone number. Guess what? You're calling the bad guys. That usually initiates a new list of red flags when they:

  • Ask to verify your account or credit card
  • Ask for your password (when asked, many people will just start listing passwords they have used, in this case giving them a list)
  • Offer to remotely access your computer to fix something
  • Ask you to install software on your computer
  • Offer to sell you services or software to fix problems they "find" on your computer (which also gives them your credit card number)

Instead look on the company's web site for the real phone number.

Fake Sender

It's trivial to fake the "from" address in an email. Unfortunately many email programs hide the actual email address. One trick is to click Reply or Forward, and (without sending the message!) look at what your email program shows as the original sender, in the quoted text. Often it will show the email address of a third party compromised email account, or a free email service like Gmail or Outlook.com.

For clients with ITS Mail Guard, we can set up custom rules to look for specific names (such as the company owner or officers) coming from unexpected email addresses.

Protect Yourself

If you're even a bit suspicious, you're probably right. You're welcome to contact us to take a look. We can easily connect in to any PC under ITS TeamCare. Forwarding the email can actually be problematic because by the time it is forwarded, spam filters may have updated, and block it and/or detect that you're the one sending the malicious email.

Verify the instructions are legitimate. By phone, not email...if the hacker has compromised someone's email account, they will just reply to your email. Never call the phone number in the email! Look up the number on their web site or your records.

November 2022

Send this article to a friend!
Subscribe to The ITS Connection

Related articles