Malicious Emails and How to Spot Them

Published: Posted on

Millions of malicious emails are sent every day.  Many of these are trying to steal your personal details.  Most of you are aware that criminals send messages that pretend to come from your bank to steal bank and other personal details, but a fair proportion of these target less obvious information such as your University or other email login.  Email aimed at stealing such details is called “phishing”.

Loss of your username and password can have serious consequences.  They can be used to read all your emails and gather personal details, see who your contacts are send email to them and others on your behalf.  University credentials can be used to login to any system you are registered on, giving criminals the access to read change or delete anything you have access to an any of these systems.

Other types of malicious email are sent with the aim of tricking you into running viruses and similar programs (malware) on your computer.  Links in email can download these programs directly, logo to web pages that can infect your computer, or the email can have a program hidden in an attachment that runs when you open it.

Malware can do all manner of things like spy on what you are typing or encrypt all your files and demand a ransom to let you access their contents again.  The only limits are the imagination and creativity of the people who write the programs.

What does malicious email look like?

This is a difficult question to answer, because there are thousands of different campaigns, and new versions are being written every day.

Examples of phishing include email telling you that your WebMail Account is full and you must enter your password to unlock it; perhaps the email has an ‘Urgent Attachment‘ and you must log into a webpage to receive it, or that your ‘Recent Transaction‘ was successful and you must enter your bank details to confirm.

Examples of email carrying malware include attached invoices, speeding fines (Notice of Intended Prosecution), parking fines and notices about orders that you will be charged to your credit card if you do not cancel.

What Types of Things Should you Look For?

Most of the messages have the following three general characteristics

  • The email looks like it is from a trustworthy source such as IT services, the Police, a bank or delivery company – this is so you will trust the email
  • The email gives you a warning or threatens you of something bad that will happen if you take no action – this is designed to make you panic
  • The email asks you to click on a link or open an attachment; the links lead to pages that ask for your username and password or download files – these actions will get your password stolen or infect your computer

The content is suspicious

This can be a difficult one because the criminal sending the email is trying to trick you.  However, most malicious email can be spotted from the content alone from.   Sometimes things just don’t look right. A message will just look suspicious. If you feel something is wrong it probably is.

The main things to consider are:

  • Am I expecting this message?
  • Would the sender really send such a message to me?
  • Is the message really the type of communication that you would expect from the  organisation it claims to come from?

Unfortunately there is no simple set of rules that can be applied so here are a few  other characteristics.

  • There are often grammatical errors, odd wording or technical errors in the messages.
  • Links go to sites that are nothing to do with the organisation sending the email.
  • Link shortening services are used to hide where links really go (eg bit.ly, tinyurl.com, ow.ly).
  • The subject field does not really match the content
  • Would the sender really send such a message to me? Is the message really the type of communication that you would expect from the  organisation it claims to come from?

If in doubt, seek advice from the IT Service Desk.

The email address is not consistent with the organisation sending it

In the case of IT services examples would be email from IT services not coming from address ending in bham.ac.uk and not addresses hosted elsewhere – for example  helpdesk01@gmail.com, IT@helpdesks.org, itsupport@freemail.inc.co or fkruger@barbiemail.co.uk.

Even if the address is correct, there is no guarantee that the email is genuine as addresses can be forged and sometimes compromised accounts are used to send malicious email.  However if the address looks wrong in this way you can be confident that the email is malicious.

Examples

We do post examples of malicious email on this security blog highlighting suspicious characteristics.  These can be found by looking at the “Examples of malicious email” category.

Author: Chris Bayliss

IT Security Manager.

2 thoughts on “Malicious Emails and How to Spot Them”

  1. Thanks for the helpful blog. Can I ask about e-mails that have an “unsubscribe” option at the bottom. I have had a sudden mass of e-mails that try to say I have money in an account that I should access. At the bottom of the e-mails is an option for unsubscribe. I have clicked the unsubscribe link, hoping these will stop – I was getting 3-4 a day. I was told however by a friend, that I should not click unsubscribe, as that verifies my e-mail address and can cause problems. Is that true, and should I do anything about the fact that I have clicked on the unsubscribe link?
    Thanks

    1. This is a tricky one. Clicking on links could lead to malware or phishing sites so does carry risk so extreme caution is needed. It is often said that clicking on unsubscribe links will lead to verification that the email address is real and lead to more spam; I have yet to see evidence of this. However, if there is nothing suspicious about the email and it is from an otherwise reputable source, such as a company you have made purchases from, then unsubscribing will stop further emails from arriving. If in doubt, seek advice initially through the IT Service Desk.

Leave a Reply to Chris Bayliss Cancel reply

Your email address will not be published. Required fields are marked *