I recently wrote about phishing around the holidays and while I was working on the piece, I noticed a couple of friends posting recent emails on Facebook. I thought it might be fun to dig a bit deeper into those emails and look at the telltale signs that indicate these are phishing attempts.
Signs of Phishing - Example #1
There are a few things that stand out to me with this email that indicate it isn’t valid.
- The Subject line.
- AMAZON is in all caps. This is not the casing that Amazon uses.
- The timestamp is in the future. While it’s entirely true that Amazon may not know your time zone, it’s unlikely that a valid email would ever contain a timestamp that is incorrect, as that causes confusion. In this case, the time stamp is used alongside the word “banned” to create a sense of urgency. When something feels urgent, we tend to rush, which increases the likelihood of someone clicking on a link in this email.
- The From line.
- This email is from [email protected], or rather it looks like it is. This is actually the display name. Looking at this second image makes that much clearer. Additionally, emails from Amazon will typically have an actual display name like “Amazon Answers” or “Amazon Marketplace”.
- The Body
- The grammar and punctuation. “Someone tried to make purchase using your account.” There is no capitalization and “make purchase” is not proper English. One should also question why “security and integrity issues” would lock your account. Similarly, “you should update your information in advice to continue using your account” is not right. What is “in advice?” This is clearly language that has been put through Google Translate or a similar service.
At the end of the day, this email is designed to pressure you to react. The sender hopes that you’ll react quickly out of fear and click the “Go to update” button. With breaches constantly in the news, people are fearful of their data being breached, and everything about this mail is written to play off that fear.
Signs of Phishing - Example #2
In our second example, we have an attempt at someone’s Apple ID. However, we’ll see many of the same mistakes that we saw in the previous Amazon phish. Let’s take a look at them.
- The Subject line
- Why would you get an order confirmed and accepted email letting you know that your account is not secure? The subject just doesn’t match the body of the mail.
- The From line
- While this one isn’t an email address, the display name is not much better. “Apple ID” is not an Apple Service. Why would the email come from that display name? I am an Apple customer, and I’ve never gotten an email from “Apple ID.” When you get an email like this, it is important to ask yourself if you have received an email from this sender before. While the display name isn’t a guarantee that it is the same sender, a display name that you’ve never seen before should definitely be questioned.
- The Body
- Again, we have the grammar issues, and there are a few of them:
- “For your protection, your Apple ID is automatically disabled.”
- “is automatically disabled” simply doesn’t make sense here.
- “We detect unauthorized login attempts.”
- “detect” instead of “detected”
- “concerns we have for the security and integrity of the Apple community.”
- There’s nothing wrong here grammatically, but why would this impact the Apple community?
- “For your protection, your Apple ID is automatically disabled.”
- Again, we have the grammar issues, and there are a few of them:
Again, we have a sense of urgency between the account being disabled and the fact that this is a potential order that you didn’t make. They want you to react quickly out of fear.
Signs of Phishing - Example #3
With this example, you can see that we have a very similar subject line to Example #2 except that this time the subject line is bilingual. The email is from “App Store” this time, another questionable display name given that the body of the email indicates a shipment. There are plenty of clickable links in the body of this mail, giving you plenty of places to be enticed. As with our previous examples, the bad grammar immediately gives this email away with phrases like “Your Order We Have Accepted And Immediately We Process” as well as “Goods Will Be Thought Before …” The fact that each word is capitalized should stand out, but the grammar is atrocious. This is another example of how you can look at the email address and see that it is not legitimate.
I don’t think that a valid email would come from [email protected]. This is a pretty clear indicator that the email is not valid and should be deleted. I hope that after reading this you have a better idea of where to look to identify phishing attempts. There are always other indicators to watch for, but here we’ve highlighted some of the more common mistakes and errors that distinguish phishing emails from valid emails. Remember that the phisher is trying to prey on your baser emotions like fear and greed, emotions that trigger fight or flight and make you react quickly. If you can avoid an emotional reaction and think for a moment, you’ll prevent yourself from a potentially costly mistake.
Meet Fortra™ Your Cybersecurity Ally™
Fortra is creating a simpler, stronger, and more straightforward future for cybersecurity by offering a portfolio of integrated and scalable solutions. Learn more about how Fortra’s portfolio of solutions can benefit your business.