Social Engineering>Phishing

Tips for Spotting a Phishing Email

Every day users are targeted with phishing emails from all around the world.  These emails can range from overtly “spammy” and easy to detect, to quite sophisticated an difficult to notice.  We have found that this is typically the least defended position in an organization, as well as one of the easiest to exploit.  Even organizations with millions of dollars worth of network security equipment can be vulnerable if even a single user clicks on a malicious link.  Here are some tips and tricks for spotting phishing emails:

Do You Know the Sender?

There are two parts of an email that make the ‘sender’ portion of an email, the “From” field and the “Reply-To” address.  The “From” field identifies the name of person who sent the email.  This field can easily be spoofed.  The “Reply-To” address is the email address that will receive an email if you reply to it.  This cannot be spoofed; therefore, what you see is who you will send the email to.  For example, the following headers show the “From” and “Reply-To” fields in this phishing email: phish-headers

Outlook displays the following information:phish-outlook

If an email purports to be from a well known brand or company, but the actual email address does not appear to be one that would come from that company (USPS <info (at)>) then the email should be deleted.

Is This Something You Expected?

Let’s say you received an email from UPS stating that a package was undeliverable.  Ask yourself, were you expecting a package, or did you order anything?  More often than not, the justification for receiving a phishing email simply wont make sense.  Another type of a phishing email could claim to be from a financial institution.  Perhaps the email could appear to be from a bank, or it might request account or credit card information.  You should ask yourself, “do you actually have an account with this bank?”  If not, it is probably a phishing scam and should be deleted.  If emails such as these contain very specific information about you, or lead you to believe that you may have inadvertently been compromised, you should check your credit report and make sure no new accounts have been opened in your name.

Did Your Systems Flag This as Suspicious?


Many times email clients do a pretty good job of recognizing spam.  More often than not, you should trust the email client’s recommendations, and delete these messages.  As you can see in the photo above, Outlook recognized this email as spam and moved it to the junk mail folder.  This automatically prevents images from being downloaded, and blocks any links that may be in the email.

Are There Grammar Mistakes?

Emails from large corporations will go through rigorous proofs and checks for grammar.  This does not mean that they will never have mistakes, however, mistakes are usually unlikely and very few in number.

Our courier couldnt make the delivery of parcel to you at 20th April.

Notice in the above example that there is no apostrophe in “couldn’t” and the word “the” is missing before “parcel”.  These errors are dead giveaways.  Additionally, the US is one of the only countries in the world that uses the MMDDYYYY format for dates.  This email used DDMM format which is common throughout the rest of the world.  This wouldn’t have come from the USPS.

Is a File Attached?

Many phishing emails will attempt to have the user open malicious files.  Most email systems will block file with executable program extensions (such as .exe or .bat) however, there are many known vulnerabilities in other well known file types, such as Adobe.  They could also try to mask malicious files within a ZIP file.  Flags should be raised any time an unexpected email is received with attachments, especially if the email matches any other of the signs listed in this article.

Does The Email Ask for Personal Information?

Financial institutions will never ask for personal information in an email.  They will also never ask for a password at any time, whether via email or on the phone.  Most phishing emails will attempt to glean some sort of personal information, whether its as simple as trying to get a user to respond to an email simply to determine whether or not that email is valid, to asking for usernames and passwords, or banking information.  Sometimes an attacker will ask for the information directly in the email, but most will link to a separate file or web page which will ask a user for information.  Guard this information well.  If you have to ask yourself, “Shouldn’t this organization know that information about me already,” then likely, the email is a scam.

Are There Links In The Email?

Before ever clicking a link in any email from anyone, first hover over the link to see if the link in the ToolTip matches the link you see and to make sure the URL is something you recognize.  If it is not a .com URL, then I would be highly suspicious.  The email below says it is from USPS, however, look at the URL when we hover over the link:phish-url


Checking URLs in an email should become second nature, otherwise, you will eventually click a malicious link.  Another item of note is that, even if you recognize the URL, any URL that ends in .php should automatically require extra scrutiny.


Once you learn what typical phishing emails are comprised of, your ability to spot one will significantly improve.  Phishers can become sophisticated when they are specifically targeting individuals or organizations.  These take a great deal of acumen to spot.  However, these typically follow the 80/20 rule.  You spend 20% of your effort to spot over 80% of phishing emails.  According to Symantec, 1 in 392 emails contain a phishing attacks.  They are not uncommon, and if successful, can be very dangerous.  Stay vigilant.


Internet Explorer Zero Day – Emergency Patch Released, includes XP

UPDATED 5/1/2014: Microsoft has released an emergency out-of-band update for Internet Explorer that resolves this issue.  They are including updates to IE in Windows XP as well.  We recommended deploying this update as soon as possible.

Microsoft released an advisory on April 26th:

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Mitigation Steps (Details on TechNet):

  • Install EMET . According to Fireeye, “EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.”
  • Also according to Fireeye, “Enhanced Protected Mode in IE breaks the exploit in our tests”. Keep in mind that Enhanced Protection Mode in IE can break some plugins.
  • Disable Flash . The vulnerability is not a Flash vulnerability, but flash is required to exploit.


For organizations and users who have not upgraded from Windows XP, this vulnerability does affect IE6-IE8 which can run on Windows XP.  Windows XP will not be receiving updates as it is now out of support.  It is critical that organizations upgrade from Windows XP.