How to detect a phishing attack

Although phishing attacks have been going on since the beginning of time, they are still one of the most efficient attack vectors from an attacker’s perspective. They don’t have to call you, the emails can be mass-distributed, and they can register domains and email accounts on the fly. This article mentions some common ways to detect a phishing attack and how to respond to them.

Malicious URLs and Attachments

The main goal of an attacker is to get their targeted list of individuals to interact with the email in one or two ways: clicking a malicious URL or opening up an attachment.

Clicking a malicious URL

When you notice a URL in the body of the email, simply hover the URL with your mouse before you click on it. In many cases, individuals may not think about the consequences of just clicking a URL, but this could give an attacker a lot of valuable information, including the following:

1. The confirmation that your email address is valid
2. Your IP address
3. Your operating system and web browser versions, which could be cross referenced to vulnerabilities
4. Your willingness to participate in a phishing email

These valuable pieces of information could allow a motivated attacker to perform a more targeted attack if they know information about you.

Opening a malicious attachment

If you receive an attachment that you are not expecting, you should immediately report it to your IT department. Opening a malicious attachment could result in full access to your system, or even your organization’s entire environment depending on other implemented controls. Even if you are expecting it and something just doesn’t feel right, forward it to your IT department.

Remember, it’s better to be safe than sorry.

The source email address(es)

Review the “from” address and inspect the full email address (not just the name). Attackers will try to spoof your organization or a trusted company’s email address and domain. In many cases, there are actually typos in the “from” address.

The destination email address(es)

One of the many obvious ways to detect a phishing attack is the recipient address. There are some cases where the recipient address is blank, and when this happens, it’s because you are BCC’d and the email is going out to multiple recipients. Sometimes, these emails can actually be legitimate. However, in most cases if someone is intending to send you an email, they won’t hide this information. A blank recipient address should spark suspicion unless it is common practice within your organization for whatever reasons.

Email style and formatting

Attackers usually try to spoof email designs and formatting so that their victims can be more trusting. In some of these cases, there could be slight changes with the email signature or even the body of the email. You should always keep an eye out for these things.

Email Headers

A more advanced technique to learn about the source of your email is by inspecting its email headers. The headers of an email give out a lot of valuable information. You can use sites such as https://mxtoolbox.com/EmailHeaders.aspx to paste the headers, and it’ll tell you some great information. Some of this information could be understandable depending on your technical knowledge, and some of it may not make sense at all.

To view the email headers, we have provided some quick steps below. Refer to the instructions for your specific email client.

Microsoft Outlook (Mac)

1. In your Outlook client, navigate to the email in question.
2. Right click on the email and navigate to “View Source”.
3. The email headers will open up in a text file.
4. Copy this information and paste it into an email inspector, such as the URL linked above.

Gmail (Web Browser)

1. Open the email that you want to inspect the headers for.
2. In the top right corner of the email, click the three dots (next to the reply arrow).
3. Select “Show original”.
4. The following page should actually contain the parsed information, just like an online email header inspector would show.