How to detect whether an email is fake or real

We all get them. Emails from our bank, PayPal, eBay, Skype etc, all telling us that we've received a file/payment or that something's gone wrong and we need to log in to address the issue. But which are real and which are fake?

These emails cover two types of attack - virus delivery and phishing. Let's start with the first one:

Virus Delivery:

I've seen a massive increase in emails telling me that:

  • I've got a parcel that could not be delivered
  • I have a tax refund from HMRC
  • I have a voicemail from Skype
  • I have a fax message

virus email screenshot

These files invariably will contain a 'executable' file that has a virus in it. The virus's payload will differ depending on what the intention is. In the 90's I remember viruses used to simply be destructive, trashing data. (I once remember talking to a family where the 11 year old son had brought home a floppy disc with a game on, only to infect the family computer and toast the 17 year old daughter's 18 months of A-level work, two months before her exams). Nowadays virus have a far darker motive - often to delivery tools such as keyloggers to send your passwords etc back to the author or, more recently, to encrypt your hard disc and demand a ransom to unencrypt it - referred to as RansomWare.

bt-spam-virus

Phishing attack:

These will often not come with an attachment but will be made to look like an official email. I've had all sorts, such as:

  • Emails from banks, telling me that there has been a fraudulent transaction
  • Emails from eBay asking for a response to an enquiry
  • Emails from PayPal telling me that my account has been frozen due to a dispute

The aim of these attacks is to steal your passwords. Chances are that you also use the same username and password for other sites as well, so they will try all of the major sites with these to see if they can hit the jackpot elsewhere. For example, do you use the same email address/password for Amazon as you do on any other website? Do you have payment details stored at Amazon? If that's the case then if ANY of the other websites storing your data get hacked they can log into Amazon, order a nice new TV and deliver it to a third party address. Use the same password for your email account? They could log into that as well and change the password? If that's your Windows 8 login then you could even be logged out of your own system!

phishing-example-email

Why do they do it?

Two main reasons. Notoriety and for profit. There's a lot of kudos in the hacking fraternity, for example, if you can bring down a website or spread a virus. The profit comes in from being able to harness the information you are able to obtain. There are networks set up to trade in 'live' information, such as credit cards or other personal data. The BBC recently reported that criminals are actively seeking 'ransomware development kits' so that they could start making money this way.

ransomware

How can you tell what's real or fake?

In short, it's rare that your bank will contact you by email, and they certainly would not send you an attachment. You should be suspicious of ANY attachment these days, even if from a source you deal with. If it's a zip file and is only a few or few hundred kilobytes then the chances are that it is suspicious. If it has come from a friend then email the friend and ask if they meant to send it. Maybe their PC (or another PC where their email address has been harvested) has sent out a bulk email with the virus to prolificate itself.

Phishing emails are relatively easy to detect - just hover the cursor over the hyperlink they want you to click on and you will invariably see the 'real' web address, which is nothing like the site you think you are going to. Often it'll be linking to a HTML in a subfolder of a site that's been hacked (and that's another reason they hack sites - to use them to host fake sites that can be linked to phishing scams so that it cannot be traced back to them).

Try to get into the habit of hovering over a link in an email to verify it before you click on it. That way it will become second nature and you'll quickly see more examples of fake links and get more experienced in detecting them.

Another trick is to create a subdomain on another site to fool you into thinking that you are visiting the real site. 

For example, signin.ebay.com might be real but signing.ebay.testsite.com would be fake. Basically you can set up a subdomain with one or more words before the main domain. So look for what is immediately before the .com (or equivalent) part of the domain. So the example of signin.ebay.testsite.com is fake because the website is actually testsite.com and they've replaced the subdomain of www with signin.ebay. If you want to learn more about detecting real or fake sites, check out the OpenDNS phishing quiz link in the summary at the bottom.

In the example screenshot below you can see that hovering over the link takes us to a page on a completely unrelated web domain.

linkedin-scam-email

What can you do about it?

Firstly, get smart! Don't use the same password for different sites. Of course, how do you then remember all of these passwords? There are several password tools out there to help you generate unique passwords for each site. I personally use LastPass. They have a free version which will work for most people. It installs as a plugin for all main browsers. You log into it once with a long password of your choice, and it then intelligently prompts to save sites as you log into them. When you visit a site you then get icons appear over the login fields - a quick right-click prompts you with ALL of the password you might use to get into a site. They support family logins, meaning you can have a communal pool of passwords accessible by all family members as well as protecting the sites of the individual, such as bank logins.

lastpass

You should also ensure that your PC is up-to-date. ALWAYS let Windows and any security software update itself - that way you will be protected against the latest attacks. Don't forget to update browser plugins, or better still don't use any! A lot of people end up with toolbar after toolbar that has been installed alongside other software, some of which may actually be malware! Strip your browser back to the bare minimum and it'll be more secure and run faster. And of course, backup, backup, backup! There are those that have lost data and those that will lose data - I am in the first camp, and I'm not going there again!

What if you have accidentally opened an attachment or logged into a fake site?

If you ran an attachment the first thing to do is run a virus scan with your installed antivirus software. If you don't have any installed, then you can get plenty of free ones, such as Microsoft Security Essentials, Avira, AVG and many more. Select the Full Scan option and let it run - it may take hours. If you know what you are doing as well you could run Task Manager, select the Processes tab and see if you can see the Executable file name running in the background (which would be the same name as the file in the zip file you double clicked on). If it is there, select it and click End Process. That will at least stop it from running in memory, but it may be configured to load again on startup.

If you logged into a fake site you should immediately do the following in order:

1. Run a virus scan to make sure that you were not infected by a 'drive by download' - a virus that could have infected you from the scam site.

2. Log into the real site and change your password

3. Log into any other sites where you use the same username and password configuration and change the password.

It's worth dedicating some time to the third option, as then if a site gets hacked you are only at risk of exposure from that site, not every other site that you use with those credentials.

Summary

Unfortunately there are a lot of unsavoury people out there clamouring for your personal data or to just generally screw with your life. By putting a few simple practices into place you can protect yourself well without overcomplicating things. Why not take a few minutes out to see how well you can recognise a real site from a fake site by trying the OpenDNS Phishing Quiz. I'm pleased to say I got full marks!

Written by Martin Bailey.

Print Email