Phishing – part 2

Phishing – part 2

Last time we looked at the reasons one needs to distrust all email. Here we continue with two more methods you can use to make sure you don’t get phished.

Digging deeper

Email servers use standardized ways to relay and deliver mail. Every time a server acts on a message, it adds a header to the message describing what it has done. Your email client, whether it is web mail, Outlook or some other, hides most of these headers for you. If it didn’t, you would have to wade through dozens of lines of server dialog to get to the message body.

But we can use these headers to our advantage, if we believe the message may be forged, fake or malicious. Your mail app provides a way to view the headers in their entirety. The steps are different for each app, but MxToolBox provides a page describing them all. Just click on your mail app in the left column and follow the steps provided.

Once you have the headers before you, you should be able to find the To, From, Date, and Subject headers in a group near the bottom. Start from there and work your way up. Very often the next line or two will answer the question.

  • Examine the Received From headers. Are the mail servers shown from other countries than where the sender is located? If the last letters after the last dot are not .com, .net, or .org, they will frequently be “country codes”. These are two-letter codes that are assigned to each nation in the world, for example, “.us” – United States, “.br” – Brazil, “.cn” – China. (For a complete list, refer to the ICANNWiki page.) A message from a source somewhere in the States should not have any Received From headers with server names like mail.xyz123.ru.
  • The part of the From address after the “@” should match the business domain name. For example, all messages from ComputAssist should have “@computassist.com” as the ending of the address. If it does not, it likely did not originate here.
  • If there is a Reply-To address header, does it differ from the From address? This is a way to hijack your reply to a hidden address.
  • Still not sure? Look for headers with SPF and DKIM results. The ideal result of these validation tests is a Pass score. A safe message may not always have a pass score, but fake ones never do.

Attachments can be dangerous

One way for phishers to get you hooked is to attach a malicious file to the message. Click it, and the attack on your computer and network begins. These attacks can appear quite genuine. It might look like a bank statement, or an invoice from a supplier, complete with corporate logo and boilerplate fine print.

  • Never trust an attachment that you were not expecting.
  • Even if it appears to be familiar, such as a monthly invoice, use the other techniques here to verify the authenticity of the message first!
  • Be especially careful with Office documents which can contain code that runs on your computer when opened.

Everyone who uses email is potentially a phishing target. These techniques will go a long way in keeping you from becoming a victim.

Bill Bardon

Owner, ComputAssist