Ever gotten an email from a reputable company like Apple, Verizon, or Coinbase, but something feels a bit off about it?
Introduction
Most of us are aware, to some extent, of the danger posed by suspicious emails. But if your inbox is like mine, with 20–30 new emails arriving daily, finding enough time to skim them can be overwhelming, much less tell which ones are suspect. Seems absurd, right?
How to ID Spam/Phishing Email?
Maybe, like I once did, you naïvely assume bad emails all magically end up in the Junk/Spam folder. But can we really trust our spam filter to catch 'em all? (even Ash didn't pull that one off) Perhaps try the latest freemium plugin instead? As if any of us can even afford that after rent and bills, right? Not to worry, today I will walk you through an analysis of a real-life malicious email so you can learn to spot suspicious emails on your own! We will focus on two main areas: the preview and the message body.
Check the Preview
Ironically, I received an email earlier today that managed to bypass my spam filter, security add-ons, and custom rules and somehow landed in my Focused Inbox (the equivalent of 'Important' in Gmail). But as soon as I glanced at the preview, red flags started to pop up, including sloppy font styling, a vague subject line, and a deadline in mere hours. Let's take a look.
From this image, we learn the first three of our six useful tips to help ID spam/phishing emails:
- Inconsistent use of font or styling.
- Vague wording, especially in the subject line.
- A sense of urgency, focusing on impending deadlines or dire warnings.
At this point, we already have sufficient circumstantial evidence to justify deleting the email without even opening it. Report the email as junk so that anything from that sender will be filtered automatically; then, delete it to avoid accidentally clicking on it later. Why waste time entertaining spam or potential malware?
Check the Message Body
Now let's assume, for the sake of argument, that we decide to open the email, just to be sure before canning it. Can we expect to see any new red flags, or only some variation of the ones we covered previously? Let's see.
Thanks to this image, we discover the remaining three of our six useful tips to help ID spam/phishing emails:
- Fear of missing out. (or any effort to provoke an emotion-based decision)
- A faded, blurry, or discolored logo or icon.
- Incorrect company details like legal name, address, or contact info.
After the FOMO pitch, the fake Apple Music icon, and the wildly inaccurate company details in the footer, I was positive that Apple did not send this email. A reputable company would never be so sloppy. That being said, now I was curious about the demise someone evidently had in mind for me. What if, half-awake or intoxicated, I had instead chosen to Renew my subscription?
Why Bother to ID Spam/Phishing Email?
It is easy to forget the true nature of what we are up against. Suspicious emails are way more than annoying digital garbage cluttering up our inboxes. One wrong click is all it takes to escalate into a very serious situation. What if, half-awake or intoxicated, I had instead chosen to Renew my subscription? Suddenly, I became curious about the demise someone evidently had in mind for me.
Disclaimer: Never intentionally interact with suspected spam or malicious content unless you understand the risks and have a valid reason for doing so.
Using extreme caution to avoid actually clicking the link, I combed through the original message using source view, located the embedded URL, and submitted it to VirusTotal for analysis.
Malicious Intent
The verdict was returned in under a minute, with vendor flags thrown for malicious content and phishing.
We see that two hits are returned, labeling the URL as phishing and malicious and confirming our suspicions that the email is spammy at best or, worse, blatantly malicious.
Hostile Takeovers
Digging deeper into the analysis, we can better understand what happens after the embedded link is clicked.
Behind the scenes, chaos quietly ensues as the malware deletes trusted/disallowed certificate lists on the victim's computer, limiting secure authentication and leaving a foothold for further exploits.
Global Threat Actors
One last noteworthy item is the actual destination of the link from the email. Check it out.
Far removed from any domain associated with Apple, it rather belongs to a ball-bearing manufacturer in India. Clearly, the rabbit hole goes very deep, far beyond even my expectations. Okay, on that note, let's recap.
Summary
So the next time those unread emails start piling up, apply what we learned today. Scan the previews, look for red flags, and deal with any obvious spam first.
In the Preview
🚩- Visible changes in font size and thickness
🚩- Unclear or vague origin and subject line
🚩- Deadline in a few hours to trigger a rushed response
If the email seems legit, the next step is to open it and read it, staying on guard for anything suspicious.
In the Message Body
🚩- Fear of Missing Out (FOMO) or a similar emotional grab.
🚩- Icons or logos that appear fuzzy, modified, or discolored.
🚩- Wrong company name, address, or contact info
Most importantly, do not click on any links! Always trust but verify. With the exception of security emails, such as those you get when registering a new account, always use the official website or app to log in directly, not an email link. Once you know the email is real, you can focus on handling any business related to its content.
In other words, at the risk of sounding cliché, better to be safe than sorry!
-- killshot13
Don't forget to 💖 this article and leave a 🗨️; I look forward to reading your thoughts and opinions in the comments below.
Image Credit: Header image (@theRealAppleMusic) was adapted from "UnKnown Caller" by Rick Patin, used under CC BY 4.0. "@theRealAppleMusic" is licensed under CC BY 4.0 by Michael R.
Top comments (0)