What is Phishing Email?
Phishing Email attempts to fraudulently acquire personal information, such as your account password or credit card information.
Here, the email may look like a legitimate source, but actually, it is not. Many Email tools as well as most of the browser tools apply lists to classify “good” (whitelists) and “bad” (blacklists) sources/senders.
Typically, the blacklists block the IP address of the e-mail (SMTP) server, the sender domain, or even the whole Email address domain of a sender.
Blocking the IP address or domain can cause problems when the sender uses an SMTP server of any provider, and blocking the whole sender’s email address domain can be inefficient because the source address could be forged.
How to Spot a Phishing Email?
The stage-one classifier validates the texts in the mail subject. It is either marked as legitimate or spam mail, based on the keyword match. Then, the mails are moved to the spam or junk folder, if illegitimate.
If it is found to be good, it is then passed to the stage-two classifier. The mails are checked for their legitimacy in content. The content is checked for phishing keywords as well as the embedded image in it. It is a good indicator of spam Email.
The outputs may be either good mail or spam mail. If invalid, it is moved to the spam or junk folder. If legitimate, the outputs are fed as input to the stage-three classifier. The IP address received was checked in the black list of real time site Spamhaus.org.
If the received mail is marked as spam, it is moved to the spam or junk folder. Else, the output message of the algorithm will directly be sent to the inbox, as the mail is legitimate.
How to recognize a phishing Email?
As many emails can be detected for phishing, as possible. The user accounts can be configured for any of the mail servers like Gmail and Yahoo. For example, Gmail is to be configured as imap.gmail.com.
User accounts which are to be detected for phishing can be many for the mail server configured. The accounts for which the mails are to be detected are configured in the credentials.xml file.
The user id and password are encoded and then updated in the credentials.xml file, separated by a semicolon. Also, the folder where the illegitimate mails are to be moved should be mentioned for each and every user account. These are the signs of a phishing email.
How to analyze Email Headers?
Some phishing attacks are hosted on PCs infected with viruses/Malware. The only way to link to them is by using their IP address.
Legitimate email seldom uses links with an IP address. A link is an email whose host is an IP address (E.g http:// 101. 56.3.48/ login. facebook. com/login). You can see this in the Phishing Examples.
What Makes Email Suspicious?
The fifteen features are listed below,
Phishing attacks can be found in emails if the attacker inserts ant forms or links to the compromised websites. Hence, the attacker may include scripts to create a popup and then load a form in that popup, to trick the user into entering sensitive data. Hence, finding the presence of a popup suggests the possibility of the mail being an attempt to phish sensitive data.
- Text “Verify Account”
If an email is found to have the text “Verify Account”, “Verify Email”, ”Bank”, “Debit”, “fwd”, “reply”, “Click”, “Here ”, “login”, “update” or any of its variants, then it is worth checking the email for further symptoms of phishing. While the presence of these texts does not necessarily indicate the presence of a phishing attempt, it is an easy way to lure people to click into malicious links.
(iv) onClick attribute:
The onClick attribute in an HTML element can be used to make a HTML element clickable, and redirect a user to another URL which is normally not possible.
(v) Change of window status
(vi) IP address in URLs
Some phishing attacks are hosted on PCs infected with Virus/Malware. The only way to link to them is by using their IP address. Legitimate email seldom uses links with an IP address. A link is an email whose host is an IP-address (E.g http:// 101. 56.3.48/ login. facebook. com/login).
Some people may ask , Can I get hacked by opening an Email?, The answer is don’t open the suspicious Emails. Some people may ask, Can I get a virus by just opening an Email? The answer is, Yes it is possible.
(vii) ReplyTo modification
The attacker may modify the ‘replyto’ field in the email, with the email address of the legitimate company, so that the user can reply back to the legitimate company, and thus not become suspicious about the sender’s identity. Hence, checking if the sender address and the ‘reply to’ address are different, is important. If they are from different domains, it will help in identifying phishing attempts.
(viii) Number of unique domains in URLs
The legitimate emails contain links in only one or two domains. If the number is high, the email is probably an attempt to phish user data from the receiver.
(ix) Number of words in Subject
Most legitimate Emails have less than five to ten words in their subjects. Hence, the presence of a large number of words in the subject indicates the possibility of the Email being an attempt to phish sensitive data from the user.
How to report a phishing email?
If you get the Phishing Email, forward the Email to the Anti Phishing Working Group and FTC.
Email Phishing is the main cyber threat as we discussed above. So better be more cautious on opening the unknown Emails and replying to the Emails.