How to Know if We Are Encountering a Fraudulent Email
Most cyberattacks arrive through email; it is the most widely used attack vector and continues to produce results, despite spam and anti-phishing filters, because some still continue to fall into the trap of fraudulent emails. In this post, we will explain how to know if an email is fake, even when the signs of it are not so obvious.
5 signs that show that you are facing a fake email
Fraudulent emails are, as we said, the most common means to carry out certain cyberattacks, such as phishing, spear phishing, ransomware attacks, or the injection of different types of malware. The objectives depend on the attack itself, but normally they all lead to obtaining personal data, account numbers, credit cards, user account credentials, etc.
It is true that email servers already include filtering tools that can help prevent fraudulent emails from ending up in our inboxes, sending them directly to the spam or junk mail folder. Still, there are cybercriminals with enough knowledge to bypass these filters and make a fake email look legitimate.
How can I tell if an email is fake? Looking at some of the following signs will often need to be more.
The domain of the email address
The first signal is found in the domain of the email sender’s address; in fake emails, these addresses may look like the real ones, but they are only partially the same.
The key clue is in the domain; legitimate addresses use the name of the business or company as the domain, for example, @techgogoal.com, where “TechGogoal” is the domain. A spoofed email trying to impersonate this company could use something similar: email@example.com (or an even rarer or unknown domain).
So if the email looks suspicious, the first step is to check the sender’s address and compare it with a legitimate email from that company.
It is worth mentioning that there is an exception and that we can receive fraudulent emails from legitimate addresses when cybercriminals have resorted to spoofing, a technique used to impersonate a legitimate address. Regarding how to know if an email is dangerous in this case, we will explain it later.
Wording with spelling or concordance mistakes
Another sign that we are dealing with a fake email is the use of wording with misspellings or consistency, since many times, in these campaigns, automatic translations are used to send massive fraudulent emails, so the text needs to be better written.
Although, it should be noted that there are fraudulent emails that take more care of this aspect, especially in spear phishing campaigns or directed against executives or people with responsibility, such as employees in advanced persistent threats.
The matter generates an alert or demands rapid action
It is common for the subject of this type of false email to tend to generate some alarm or indicate the need to act quickly; for example, “These documents need to be checked urgently” or “You have X hours to pick up your package.” The urgency is also repeated in the body of the message. The objective is to cause the victim to not pay attention to other possible signals due to the rush to respond or carry out the required action.
No matter how rushed a supposed issue is, we should always stop to check the sender and make sure that the email is legitimate, even before downloading any attachments it may include.
Request personal information through a link.
- It is the usual phishing technique, the email refers to a service that is about to expire, to a card that has been blocked, to a prize that we have won, etc., the methods are varied, but a link is always included that takes us to complement our data, such as the one we can see in the example image:
The objective is to obtain our personal information for different purposes, such as identity theft or the sale of this type of data on the dark web.
- Includes attachments
In the absence of links, this type of fraudulent email usually contains attached files, usually Word or PDF documents, accompanied by some malware, which often only requires opening the document to execute.
- If you receive an email with supposed documents that you should see or a file that arouses your curiosity but does not come from anyone you know or whose sender address is suspicious, do not download the files and delete the email. In addition, you can always confirm with the sender if the address corresponds to one of your contacts, if the email is legitimate, and if he sent it to you.
So you can check if you are facing a fraudulent email
Earlier, we mentioned that it is possible to mask the real address from which a fake email is sent and pass it off as legitimate using the spoofing technique. Knowing if an email is safe in these cases requires a small verification action. Still, it is simple to carry out.
It is about checking the “Received” header of the email, which should always show the real domain of the sender.
Depending on the email client you use, the way to see this header may vary; Next, we will explain how to see it in Outlook and Gmail, two of the most used services.
In the inbox, right-click on the message we want to check and select “View > View message source” from the drop-down menu.
In Gmail, the procedure is very similar. You open the message you want to check, click on the three vertical points, and click “Show original.”
Here we hardly even have to check the Received because a suspicious address already appears in the “From:” section; It says Media Mark, but next to it, there is an address that has nothing to do with this company.
As in Outlook, we will have to go down to see the first Received to see the domain, which appears as mx.google.com, with nothing to do with Media Mark.
Interpret the information in the Received field
Indeed, a lot of information appears next to Received. Still, as we have said, looking at the domain of the sender’s address, we can already see whether the email comes from a legitimate address. Therefore, it is a fake email. You can check a legitimate email from a company against a fake one posing as that company to see the differences.
But in addition to this information, we can also look at the SPF and DKIM fields, which indicate whether the email has passed verification control. One of them may happen, but not both. When these checks are passed, it will put “dkim=pass (signature was verified) and “SPF: Pass (protection.outlook.com: domain of ………………. designates ………….. as permitted sender),” where the points correspond to the domain and the IP respectively.
Therefore, although it may take us some time, whenever we suspect an email may be fake, we should check the signals we have described in this post and look at Received if we have any doubts.