Is it Phish? How to Detect!

May 24, 2018 | Views: 3153

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Let’s start with “What is Phishing?”

Phishing is one of the most common types of social engineering attacks. It’s an attempt technique used by malicious actors to trick the user into divulging sensitive information by disguising a trap as a trusted entity in electronic communication.

Now that we know what phishing is, what do we look for? Usually, to catch a bad email, we need to be vigilant online and use our common sense!

Follow these 3 steps to investigate an email for suspicious behavior:

 1. Look for the Sender Name and Domain: Hover over the sender name and email address to check for any spoofing.

2. Look for a sense of urgency in the subject line and body; look for grammatical errors.

3. Look for any embedded files or spoofed links in the email.

 The image below is the screenshot of an email which I recently received; it’s a credential phishing email.

Sample Email

As you can see in the screenshot above, the email is coming from “Window Live 2018,” but after careful observation, we can see that the email address is actually a Hotmail address, “kamlabar1.” This should ring an alarm in our heads that this isn’t legit. Why on earth would a Windows update email have such an email address?

Secondly, the email body shows a sense of urgency to update the information. In the content of the email, text such as “Do not ignore!” and “Note” and a large font size are used to give the impression that the matter needs immediate attention.

Lastly, it has an embedded link. If you hover over “UPGRADE NOW,” it will show you a link. Tip of the day: NEVER CLICK ON THE LINK IN THE EMAIL. If you are uncertain of the source from which the email is coming, then always check the links or attachment it contains on open source tools for suspicious behavior.

To avoid falling prey to a phishing attack and determine for yourself if the email is malicious or not, use a few open-source tools. Below are three open source resources that can help you in examining an email for phishing/spam behavior:

1. Use this website to check for redirects, in which links in the emails are being redirected.

2. This is a scan engine; you can use this to check the behavior of links or attachments in an email.

3. This website helps to view the screenshot of the first page of any website without even actually visiting it. It provides you with a pretty good idea of what you will be visiting before you click on the link to the website.

When I right clicked and copied the link from the above screenshot and checked it on VirusTotal, it showed that 4 out of 67 scan engines detected this link as a phishing link. Ahh!! Caught a phish 😉

VT Analysis

Before clicking the link, I checked it on urlquery to see where the page would take me if I clicked it. From the screenshot below, you can clearly see that it asked for credentials. Also, it was not an Outlook URL, so it certainly would not have been a good idea to click on this one. This was a phishing email to fetch Outlook credentials.

urlquery analysis

Wrap Up

I’ve just highlighted three of the most common and versatile open source tools for analyzing emails for suspicious behavior. There are tons of open source tools available out there and hundreds of ways to check for the behavior, type, and malicious nature of links or attachments.

The key point to keep oneself safe is to be vigilant and think before you click.

I hope you enjoyed this and found it easy to follow along. If you have other methods, post them in the comments here!

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. What if the mail headers are changed at the time of SMTP server processing? ex. Mail headers injection. Big email service providees such as Microsoft live and Gmail has protection against it. An attacker can send phishing mails through mail headers injection and when you see the sender’s domain it’ll look genuine for you.

  2. Yeah Your Content Is True
    But Little Bit Missing
    => In Email Understanding Is Easy , If You Found Email That Say You Instant Loan ,M-Pesa , Get Credit card , Get Car etc….
    1.Always Chack Link Before Adding AnyInfo
    2. In Your Life Never Add Real Username Password In 1st Try
    1st add likr
    USERNAME :-lololo
    And Wait For Page Respond
    If Page Accept It Understand This Is fake Site

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?