Beware, trap! How to spot spam and phishing emails
Written by Barbara Aßmann
Spam emails flood our inboxes with unsolicited advertisements and dubious offers, while phishing emails specifically target sensitive information such as passwords and credit card numbers by posing as trusted sources.
The good news is that there are usually clear indicators to help us spot these 'fake emails' and avoid falling for them.
In this article, you will learn what to look for to navigate the email world safely and protect yourself from these digital threats. Let's go through the most important characteristics so that you can recognise suspicious emails at a glance.
What exactly are spam and phishing emails?
As mentioned above, spam emails are annoying advertising messages that flood inboxes and are difficult to prevent. Email addresses that are publicly available in the imprint or on contact pages can easily be harvested and misused. Participating in competitions or providing data to dubious providers also often results in email addresses and telephone numbers being sold on. Although simple spam emails are usually harmless, they are still annoying and unnecessary.
Phishing emails are a different matter. Unfortunately, this type of spam is not harmless and can take down entire computers and empty bank accounts. Unfortunately, phishing emails are now so well-designed that they are difficult to distinguish from genuine emails or even harmless spam emails.
The term "phishing mails" is derived from the word "phishing," which itself is a play on the word "fishing." The concept of phishing involves tricking individuals into revealing sensitive information, such as passwords, credit card numbers, or personal identification, much like how a fisherman uses bait to catch fish.
Fun fact about the term ‘spam’:
The term "spam" originates from a Monty Python sketch titled "Spam", which aired in 1970. In the sketch, a group of diners in a café is overwhelmed by the repeated mention of "Spam," a canned meat product by Hormel Foods. The characters repeatedly insist on having Spam in their meals, making it increasingly absurd and annoying to those who dislike it. This constant repetition and overwhelming presence of Spam in the dialogue served as a comedic portrayal of unwanted and intrusive content.
In the early days of the internet, particularly in the 1990s, the term began to be used to describe unsolicited, irrelevant, or excessive messages sent via email, chat rooms, and other online platforms. Just like the overwhelming presence of Spam in the Monty Python sketch, these unwanted messages cluttered inboxes and were often annoying to users.
Let's first take a look at the various techniques used in phishing emails:
Phishing email techniques
Phishing emails use a combination of social and technical tactics to deceive recipients and steal sensitive information. Here are the main approaches behind phishing emails:
Social Engineering
Appear trustworthy:
Phishing emails appear to come from trusted sources such as banks, online services or government agencies.
Create urgency:
By creating a sense of urgency (e.g. 'Your account has been frozen'), recipients are put under pressure to act immediately without thinking.
Exploiting emotions:
Fear, curiosity or urgency are exploited to get the recipient to respond to the email.
Spoofing
Email spoofing:
The sender address is spoofed to make the email appear to come from a trusted source. The 'From' field in the email can be easily manipulated to display a familiar address.
Website spoofing:
The links in the email lead to fake websites, which often look almost identical to the real websites. These sites collect information entered, such as usernames and passwords.
Technical manipulation
Homograph attacks:
Using similar-looking characters in URLs to mimic legitimate websites (e.g. 'paypa1.com' instead of 'paypal.com').
Embedded links:
Links included in the email may appear to be a legitimate URL, but redirect the user to a bogus website.
Malicious attachments:
Phishing emails may contain attachments that contain malware or viruses. Opening these attachments may install malicious software on the user's computer.
Keylogging and screen scraping
Keyloggers:
Malware that records keystrokes can be distributed through phishing emails. This software captures everything the user types, including passwords and credit card numbers.
Screen scraping:
Malware can take screenshots of the user's activity and capture sensitive information.
Man-in-the-Middle (MITM)
Intermediate attack:
In some cases, phishing attacks can be carried out as MITM attacks, where the attacker intercepts and manipulates the communication between the user and the legitimate website.
Phishing kits
Easy access:
Ready-made phishing kits are available for use by cybercriminals. These kits contain pre-made phishing pages and instructions to make them easier to access for less technically skilled attackers.
Specific examples of phishing emails
Meanwhile, phishing emails flood our inboxes every day. Sometimes they're easy to spot because you don't have an account with a particular bank or you haven't bought anything from the supposed web shop. But more often, they are deceptively genuine, preying on users' insecurities to obtain sensitive information.
A few examples of typical phishing emails:
Bank account frozen
- Subject line: 'Important message: Your account has been temporarily suspended'.
- Content: Request to click on a link to unfreeze the account
- Characteristics: Link leads to a fake website that looks like the bank's real website
PayPal verification
- Subject: 'Your PayPal account has been suspended
- Content: Requesting confirmation of payment details to unblock the account
- Characteristics: Sender address similar to, but not exactly '@paypal.com'.
Tax refund
- Subject: 'Your tax refund is waiting'
- Content: Request for personal details to receive a supposed refund
- Characteristics: Professional looking but fake logos and links
Email storage space full
- Subject line: 'Your mailbox is almost full!
- Content: Invitation to click on a link to expand storage space
- Characteristics: Link leads to a fake page that looks like the email provider
Apple ID security issue
- Subject: 'Your Apple ID has been suspended
- Content: Request to click on a link and confirm identity
- Characteristics: False return address, link leads to phishing site
Parcel delivery
- Subject line: 'Your shipment could not be delivered
- Content: Request to confirm delivery address via link
- Characteristics: Sender is a fake parcel delivery URL, often with misspellings
Suspicious activity on social media account
- Subject: 'Unusual attempt to log in to your Facebook account
- Content: Request to verify account via a provided link
- Characteristics: Link leads to fake login page that intercepts data
Lottery notification
- Subject: 'Congratulations! You've won!'
- Content: Request for personal information for 'Prize Delivery'
- Characteristics: Promise of prize without prior participation
The main characteristics of phishing emails are as follows:
Urgency
They often claim that urgent action is required, e.g. ‘Your account has been suspended’
Known senders faked:
They look like they come from well-known companies or people, but the email address is often not quite right.
Links to fake websites:
The email contains links to fake websites that look very similar to the real ones, but are designed to steal your login details.
Attachment with malware:
Some phishing emails contain attachments that can install malicious software when opened.
Grammar and spelling mistakes:
Many phishing emails contain obvious spelling mistakes.
Impersonal salutation
The salutation in phishing emails is often very impersonal and general, such as 'Dear Customer' or simply 'Hello'.
14 concrete measures against phishing emails
What can you do to spot phishing emails and avoid falling for these nasty tricks?
Here are 14 specific steps you can take to ensure that phishing emails don't do you any harm. Each of these steps will help you verify the authenticity of an email and avoid potential dangers.
Do not open any links directly from the email.
Example: If you receive an email from your bank asking you to change your password, do not click directly on the link in the email. Instead, visit your bank's official website by typing the URL into your browser manually.
Returning to sender
Example: If you receive a suspicious email from a colleague or known contact, call the person or send a new email to their official email address to verify the request.
Check the links using the check tools
Example: Use tools like VirusTotal or PhishTank to check suspicious links before you click on them. Copy and paste the link from the email into one of these tools to check its safety.
Check email header
Example: Look at the email header to see if the sender address is authentic and if the email servers used to send the email are suspicious. If you receive an email from ‘support@yourbank.com’ but the actual server is ‘spamserver.com’, it is likely to be spam.
You can read more about how this works here:
Do not open attachments without thinking
Example: Do not open attachments from unknown senders or suspicious emails. Even if the sender is known, but the attachment seems unexpected or suspicious, ask the sender before opening the attachment.
Use anti-virus software.
Example: Keep your anti-virus and anti-malware software up to date so that it can automatically detect and block potential threats.
Enable two-factor authentication (2FA)
Example: Activate 2FA for all important accounts such as email, bank and social media. Even if an attacker knows your password, they won't be able to access your account without the second factor (e.g. an SMS code).
Use secure passwords and change them regularly
Example: Use strong and unique passwords for each of your accounts and change them regularly. A password manager can help you manage them.
Be suspicious of emails with spelling and grammar mistakes
Example: Look out for poor grammar or unusual wording in the email. Reputable companies take care to use correct language in their emails.
Report suspicious emails as spam
Example: If you receive a suspicious email, mark it as spam or junk. This helps your email provider to improve its filters and protect other users.
Do not disclose any personal information.
Example: Reputable companies will never ask for sensitive information such as passwords or credit card numbers by email. Never disclose such information by email.
Check the email sender address
Example: Note the exact spelling of the sender's address. Phishing emails often use slightly modified versions of real addresses (e.g. ‘info@paypa1.com’ instead of ‘info@paypal.com’).
Keep your browser and software up to date.
Example: Make sure that your web browser, operating system and all installed programs are always up to date to prevent security vulnerabilities that could be exploited by phishing attackers
A quick detour: Checking email headers
How can I access the email header?
The exact procedure depends on the email programme you are using. Here are the steps for some of the most common email services and programmes:
Gmail (Webversion)
- Open the email you want to examine.
- Click the three vertical dots (More) next to the reply arrow in the top-right corner of the email.
- Select ‘View original’.
- A new window will open displaying the full email header.
Outlook (Webversion)
- Open the email you want to investigate.
- Click the three dots (More actions) in the top-right corner of the email.
- Select ‘View message details’.
- A new window will open with the email header information.
Outlook (Desktopversion)
- Double-click the email you want to investigate. The email will open in a new window.
- At the top of the menu, go to File > Properties
- Select ‘Show Message Details’.
- In the new window, you will find the email header information in the ‘Internet Headers’ section.
Apple Mail
- Open the email you want to examine.
- Go to ‘View’ in the top menu.
- Select ‘Mail’ and then ‘All Headers’.
Thunderbird
- Open the email you want to investigate.
- Go to ‘View’ in the top menu.
- Select ‘Headers’ and then ‘All.’
Analyse email headers
The email header contains a lot of information. Here are some important fields:
-
Received:
Shows the servers that the e-mail was sent through. The bottom ‘Received’ entry is usually the original server.
-
From:
Shows the email address of the alleged sender. This can easily be faked.
-
Return-Path:
Often shows the actual email address of the sender.
-
Message-ID:
A unique identifier for the email, created by the sending mail server.
-
SPF, DKIM, DMARC:
Information about the authentication protocols that can help verify that the email is genuine.
Here is an example of what an email header might look like:
Received: from mail.example.com (mail.example.com. [192.0.2.1])
by mx.google.com with ESMTPS id r7si123456qtp.123.2023.08.07.08.08.08
for <your-email@gmail.com>;
Mon, 07 Aug 2023 08:08:08 -0700 (PDT)
Return-Path: <sender@example.com>
Received-SPF: pass (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) client-ip=192.0.2.1;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of sender@example.com designates 192.0.2.1 as permitted sender) smtp.mailfrom=sender@example.com;
dkim=pass header.i=@example.com;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=example.com
From: "Sender Name" <sender@example.com>
To: "Your Name" <your-email@gmail.com>
Subject: Test Email
Message-ID: <1234567890@example.com>
Date: Mon, 7 Aug 2023 08:08:08 -0700 (PDT)
Spam indicators in the email header
-
Many ‘Received’ entries:
Spam emails often pass through many servers. If you see a lot of ‘Received’ entries, especially from unknown or oddly named servers, this can be suspicious.
-
Unusual sender addresses:
Check the ‘From’ field. If the address is unusual or inconsistent with the purported sender, it could be a sign of spam.
-
Suspicious ‘Message-ID’:
A strange or missing ‘Message-ID’ can indicate spam. Reputable e-mail servers usually generate a unique ‘Message-ID’.
-
Mismatched Domains:
Watch out for domains in the ‘From’ field and the ‘Return-Path’. If these do not match or look strange, it's a red flag.
-
SPF, DKIM and DMARC errors:
These protocols help to verify that the e-mail is authentic.
-
SPF (Sender Policy Framework):
Checks whether the email was sent from an authorised server. A ‘Fail’ or ‘SoftFail’ is suspicious.
-
DKIM (DomainKeys Identified Mail):
Checks whether the email is authorised by the sender. A missing or incorrect DKIM entry is suspicious.
-
DMARC (Domain-based Message Authentication, Reporting & Conformance):
Combines SPF and DKIM. A ‘fail’ is a warning signal.
Example analysis of an email header
Here is an example of an email header with explanations of what to look out for:
Received: from unknownserver.com (unknownserver.com [192.168.1.1])
by mx.google.com with ESMTP id abc123xyz;
Mon, 07 Aug 2023 08:08:08 -0700 (PDT)
Return-Path: <spam@scammer.com>
Received-SPF: fail (google.com: domain of spam@scammer.com does not designate 192.168.1.1 as permitted sender) client-ip=192.168.1.1;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of spam@scammer.com does not designate 192.168.1.1 as permitted sender) smtp.mailfrom=spam@scammer.com;
dkim=fail header.i=@scammer.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=scammer.com
From: "Fake Bank" <alert@fakebank.com>
To: <your-email@gmail.com>
Subject: Urgent: Verify Your Account
Message-ID: <spam123@unknownserver.com>
Date: Mon, 7 Aug 2023 08:08:08 -0700 (PDT)
Suspicious signs:
-
Return-Path and From:
Different domains (spam@scammer.com vs. alert@fakebank.com).
-
Received-SPF:
SPF check failed.
-
Authentication-Results:
SPF, DKIM and DMARC have all failed.
-
Received-Server:
Unknown Server (unknownserver.com)
-
Message-ID:
Strange ‘Message-ID’ (spam123@unknownserver.com).
More tips:
Compare sender and reply addresses:
Sometimes the reply-to address is different from the sender address. This may be an indication of phishing.
Pay attention to IP addresses:
If the sender's IP address is unusual (e.g. private or reserved IP addresses such as 192.168.x.x), it could be spam.
By carefully checking the email header, you can detect and avoid many spam and phishing attempts.
