Gokhan Arik

Gokhan Arik

Personal Website

How to identify a Phishing Email

I’m sure you have received a scam email at least once in your lifetime. A couple of days ago I received a well-designed phishing email. I was explaining to my wife, the techniques they used in the email to make it look more realistic. For people in the information technology field, it is easier to spot these emails, but it might not be the case for everyone.

Scammers are getting increasingly sophisticated in their attempts and using different techniques to trick you into clicking malformed URL. In this post, I will use the email I received as an example, and share a few tips to recognize phishing emails.

Figure 1 — A screenshot of the phishing email I received.

1. Title

The font used in the title might be easy to notice. But when you notice it, did you stop and question the email or just ignore it? I did ignore it when I first received the email. If you look closely (Figure 2), you will notice that the letters “p”, “s” and “d” don’t match the rest of the title. The letter that looks like “p” is a Greek character “ρ” (rho).

Figure 2 — Title (zoomed in)

Why do scammers do this? Email providers actively filter emails and look for patterns. This is not my area of expertise, but I assume they do this to avoid spam folder filtering.

2. From

Every email has a From and To that maps to sender and receiver. It is not hard to send an email with a different From field. In this case, the scammer starts the field with “no-reply”, and fills the rest with random characters. The format of a no-reply address in a legitimate email is “noreply@domain.com” or something similar to this where “domain.com” is the web address of the company.

3. To

This trick is probably the most interesting one. In a genuine email, To field is the address of the receiver. In this case, it is supposed to have my email address or say “Me”, as Yahoo does.

Figure 3 — To field title with misleading information

How did the scammer go around and assign “support@apple.com” to the To field?

Both From and To fields can have an optional Title along with the email address. In a real email, this would be the format of To field: <John Smith> john@example.com. However, the scammer places “support@apple.com” in place of John Smith as a Title of the sender, and this makes you think that the email is sent from Apple Support. One thing I noticed is this trick didn’t work on my smartphone app.

4. URL

Almost %99 of phishing emails have only one goal: to make you click a link. The link they send you, usually, mimics the website of the company; and contains a form so they can make you give them your personal information, login credentials etc. In this case, the URL seems like a real one, because it ends with apple.com. This trick is similar to “To” field trick. Name of the URL is legit, however, the actual web address it points to is malformed. On a computer, if you hover over the URL, you will see actual address in the bottom left corner of your browser (Arrow 5 in Figure 1). You should avoid clicking on links if you don’t know the sender.

Imagine you are working on your computer or watching videos on your phone while having lunch. All of a sudden your phone vibrates, you look at the notification and see an email with the title of “Your Apple ID has been locked”. This could put you in a panic mode. The things I listed above might seem like simple, easy to spot things, however, when you are in a panic mode, you might not pay attention to those small details.

Free Vectors by Vecteezy