What is Phishing Email? How to spot it? Best Guide 2020

What is Phishing Email?

Phishing Email attempts to fraudulently acquire personal information, such as your account password or credit card information. 

Here, the email may look like a legitimate source, but actually, it is not. Many Email tools as well as most of the browser tools apply lists to classify “good” (whitelists) and “bad” (blacklists) sources/senders. 

Typically, the blacklists block the IP address of the e-mail (SMTP) server, the sender domain, or even the whole Email address domain of a sender. 

Blocking the IP address or domain can cause problems when the sender uses an SMTP server of any provider, and blocking the whole sender’s email address domain can be inefficient because the source address could be forged.

How to Spot a Phishing Email?

Phishing Email

The stage-one classifier validates the texts in the mail subject. It is either marked as legitimate or spam mail, based on the keyword match. Then, the mails are moved to the spam or junk folder, if illegitimate

If it is found to be good, it is then passed to the stage-two classifier. The mails are checked for their legitimacy in content. The content is checked for phishing keywords as well as the embedded image in it. It is a good indicator of spam Email.

The outputs may be either good mail or spam mail. If invalid, it is moved to the spam or junk folder. If legitimate, the outputs are fed as input to the stage-three classifier. The IP address received was checked in the black list of real time site Spamhaus.org.

 If the received mail is marked as spam, it is moved to the spam or junk folder. Else, the output message of the algorithm will directly be sent to the inbox, as the mail is legitimate. 

How to recognize a phishing Email?

As many emails can be detected for phishing, as possible. The user accounts can be configured for any of the mail servers like Gmail and Yahoo. For example, Gmail is to be configured as imap.gmail.com.

 User accounts which are to be detected for phishing can be many for the mail server configured. The accounts for which the mails are to be detected are configured in the credentials.xml file. 

The user id and password are encoded and then updated in the credentials.xml file, separated by a semicolon. Also, the folder where the illegitimate mails are to be moved should be mentioned for each and every user account. These are the signs of a phishing email.

How to analyze Email Headers?

Some phishing attacks are hosted on PCs infected with viruses/Malware. The only way to link to them is by using their IP address.

 Legitimate email seldom uses links with an IP address. A link is an email whose host is an IP address (E.g http:// 101. 56.3.48/ login. facebook. com/login). You can see this in the Phishing Examples.

What Makes Email Suspicious?

The fifteen features are listed below,

Signs of a Phishing Email

(i) Popup

Phishing attacks can be found in emails if the attacker inserts ant forms or links to the compromised websites.  Hence, the attacker may include scripts to create a popup and then load a form in that popup, to trick the user into entering sensitive data. Hence, finding the presence of a popup suggests the possibility of the mail being an attempt to phish sensitive data.

  1. Text “Verify Account”

If an email is found to have the text “Verify Account”, “Verify Email”, ”Bank”, “Debit”, “fwd”, “reply”, “Click”, “Here ”, “login”, “update” or any of its variants, then it is worth checking the email for further symptoms of phishing. While the presence of these texts does not necessarily indicate the presence of a phishing attempt, it is an easy way to lure people to click into malicious links.

(iii) Javascript

Javascript is normally used to validate forms in websites. Its presence in an email indicates that it is likely to be a malicious email, because javascript can be used to change the text of a document. It can be used to trick users in various ways.

(iv) onClick attribute:

The onClick attribute in an HTML element can be used to make a HTML element clickable, and redirect a user to another URL which is normally not possible.

(v)  Change of window status

The status of the browser page can be changed by using the window.object.status function in javascript. This can be used to provide the user with false information like load contents from other websites, while showing the legitimate website’s address in the status bar.

(vi) IP address in URLs

Some phishing attacks are hosted on PCs infected with Virus/Malware. The only way to link to them is by using their IP address. Legitimate email seldom uses links with an IP address. A link is an email whose host is an IP-address (E.g http:// 101. 56.3.48/ login. facebook. com/login).

Some people may ask , Can I get hacked by opening an Email?, The answer is don’t open the suspicious Emails. Some people may ask,  Can I get a virus by just opening an Email? The answer is, Yes it is possible.

(vii) ReplyTo modification

The attacker may modify the ‘replyto’ field in the email, with the email address of the legitimate company, so that the user can reply back to the legitimate company, and thus not become suspicious about the sender’s identity. Hence, checking if the sender address and the ‘reply to’ address are different, is important. If they are from different domains, it will help in identifying phishing attempts.

(viii) Number of unique domains in URLs

The legitimate emails contain links in only one or two domains. If the number is high, the email is probably an attempt to phish user data from the receiver. 

(ix) Number of words in Subject

Most legitimate Emails have less than five to ten words in their subjects. Hence, the presence of a large number of words in the subject indicates the possibility of the Email being an attempt to phish sensitive data from the user. 

How to report a phishing email?

If you get the Phishing Email, forward the Email to the Anti Phishing Working Group and FTC.

How to Report a Phishing Email

In Conclusion,

Email Phishing is the main cyber threat as we discussed above. So better be more cautious on opening the unknown Emails and replying to the Emails.