Anatomy of a Phishing Email

If you use email (which, if you’re reading this, you almost certainly do), you’ve probably heard of “phishing”. You’ve most likely also received (but hopefully didn’t fall for) at least one phishing message. Phishing is an online scam, usually conducted over email but sometimes through other communication services, which involves tricking someone into giving away sensitive personal information such as passwords or credit card details. It usually works by masquerading as an email from a bank or other company with a link to a legitimate-looking online form.

The screenshot shown here is an example of an actual phishing email. There are a couple of things to notice: first of all, it says “no-reply@accounts.google.com” under From, but the actual email address is “noreplygoogle2@gmx.com.” A legitimate email would never try to disguise its origin like this. (Keep in mind that even an actual “@google.com” email address wouldn’t necessarily mean it’s legitimate, as that can be faked as well.) Another thing is the date: it indicates that the sign-in attempt took place on Friday, March 31, 2014, and not only was the email sent a day before then, but March 31, 2014 was a Monday. Not every phishing email will contain mistakes like this (in fact most probably don’t), but if nothing else, that should give away that it is clearly not a legitimate automatic email.

This message claims to be from Google, claiming that my Google account was hijacked. One thing to notice is that the email doesn’t ask me for personal information at all—it simply claims that there’s danger and provides a link to check my account. This adds credibility, as some people (rightly) treat a request for personal information as a red flag. Clicking on the link, however, would most likely take me to a Google login prompt. The hope (for the scammers) is that victims will quickly enter their login information, eager to protect their account. In actuality, they are entering their details into a fake login prompt, sending them to the scammer.

You can tell that a link is fake by putting the cursor over it. This will make the URL appear somewhere on the screen. Even if the link text is the URL, that doesn’t necessarily mean that’s actually where the link leads. Here’s an example link: http://www.google.com/. That link clearly goes to Google, right? Put the cursor over the link and look for the URL that appears on the screen, probably near the bottom. As you can see, the link actually goes to Yahoo, despite its misleading text.

Now what if that was a link asking you to log in somewhere, you clicked the link without paying attention, and it led to a fake page that actually looks like the real deal? You would probably end up entering your login information and sending it to a scammer. This is how many phishing scams work. The same applies if they directly ask you for information, only with the From email address—though pretty much every large company makes it clear that they will never ask you for personal information in this way, no matter how legitimate it may look. This is one foolproof way of identifying a phishing email: look at who it’s really from, and where any links actually go. And every time you’re asked to log in somewhere after clicking a link (even on a Web page) check the address bar before you enter any information.