How to Detect a Phishing Email

Recently we have been studying computer security in class (chapter 5 of my textbook), and one of the topics we have covered is spam and phishing. ‘Good’ (if that is the right word) phishing emails can be difficult to detect even for security-savvy users, so it is no wonder many people fall victim to them, handing over personal details that can leave them vulnerable to financial fraud and identity theft.

One such example arrived in my inbox this morning. Google correctly directed it straight into my spam folder, but for the purpose of this post I took it out again!

Phishing email
A pretty convincing phishing email from ‘Barclays’

The email is a pretty good imitation of an email from Barclays bank, and includes several features that could easily fool a novice user (and some experienced users):

  • The sender’s address of ibankingservice@barclays.co.uk.
  • Barclays’ logo is included
  • The link URL apparently goes to bank.barclays.co.uk
  • The link starts with https, suggesting the connection is secure (this is a good time to review the difference between security and authentication.
  • There is an official-looking footer including addresses and some legal jargon
  • The spelling and grammar are correct, which is quite unusual for spam and phishing emails
  • The subject message is quite worrying – my account has apparently been blocked, which means I need to act quickly!

So, how do I know this is a phishing attempt? This email has a few classic signs:

  • The urgent, worrying subject is a classic attempt to get the reader to act before they think
  • The generic greeting (‘Valued customer’) signifies the sender does not know my name. My bank should know my name, and emails can easily be personalised by them
  • Banks never send requests for personal data or passwords through the Internet. Ever.
  • The Barclays logo looks a little low quality – perhaps stretched a bit

So what about the sender and the link? Email sender addresses are easily faked, so the fact that this email appears to come from Barclays is totally irrelevant. As for the link, the link text is totally irrelevant: after all, I could have a link called click here for fluffy bunnies which takes you to the (real) Barclays bank. Before clicking on any link in an email you should always hover the mouse over the status bar to see where the link will take you. In this case, we see:

Browser status bar
The status bar contains the link’s true destination

Ah-ha! The real URL. Definitely not related to Barclays bank! Finally, the most important piece of evidence for me: I don’t use Barclays bank!
What happens if you visit a phishing site?

I must admit, after taking a few security precautions, I did click the link (Disclaimer: as a rule, don’t do this). Immediately Firefox’s phishing protection filter warned me that this site had been reported as malicious, but after ignoring that warning (don’t do that, either) I was redirected to a site in Hungary (.hu) which was an ‘excellent’ reproduction of the official Barclays website. In fact, looking at the source code of the site they appeared to simply pull most of their HTML and CSS straight from Barclays server, which is why the site was such an accurate reproduction (this also had the side effect of showing “Contacting barclays.co.uk” in the browser status bar as the page loaded – very tricky indeed!).If I had been foolish enough to put in my username and password to log in to the fake site, what would happen? Firstly, my username and password would be sent straight to these phishers. Then I would most likely be shown a fake “Incorrect password” error before probably being taken to the real Barclays bank page to try again. Most users would not notice the change of sites, and most of us enter our passwords incorrectly sometimes, so one failure would not alert us. If the fake site did not redirect to the real site, we might become suspicious when our details didn’t work, and start to investigate more thoroughly. The phishers do not want that!

Fortunately this phishing site has now been reported and taken down and OpenDNS, the service my ISP use, also blocks it.
OpenDNS blocks phishing email

Be the first to comment

Leave a Reply

Your email address will not be published.


*