How to spot phishing emails and check for breaches

This blog post is going to discuss how to spot phishing emails and check for breaches as well as what you can do to protect yourself from them.

I think it’s a fact of Internet life that if you have an email address, you’re going to get phishing emails. Some will be fairly easy to spot, but others less so.

Quite recently I received one that grabbed my attention rather more than the usual suspects, and it started with one of my passwords in the subject line and I’ll share it with you below.
The mail below was actually the third email in a similar vein, the first one suggested they’d installed a keylogger and remote control software and went on to say they had video evidence that could be embarrassing, to say the least.

The first thing I did was check the password and it turned out to be an old one, so panic over there, if they’d had a keylogger, they’d have used an up to date password and I don’t visit any sites likely to cause me any embarrassment anyway unless you include Schecter Guitars or Alfaholics so I knew the rest of the mail was pure fabrication. They go on to request $2k in bitcoin within 24 hours or they’ll distribute their video evidence to your Facebook and contact list.

Targeted phishing email which contained a known password.
Targeted phishing email which contained a known password.

How did they get your password?

You can check to see if your email address has appeared in any breaches at https://haveibeenpwned.com/ where you can also sign up for notifications of any further breaches.

Image of the haveibeenpwned.com website.
Check to see if your email address has been the subject of any leaks at haveibeenpwned.com

You can also check for breaches if you’re using Firefox as a web browser by (1) clicking on the three-lines near the top right of the browser then selecting (2) “Privacy Protections” followed by (3) “Sign Up for Breach Alerts” where you can check your email address for breaches. You don’t have to sign up for the service but you can, and you can add more than one email address to monitor. The breach information for Firefox comes from the “haveibeenpwned.com” website, it’s up to you if and where you sign up.

Image showing the steps to reach the Firefox Breach Monitor page at monitor.firefox.com
Check for breaches using the Firefox web browser

If you have a Google account you can check to see if any of your saved passwords have been involved in a breach by browsing to “Home > Security > Password Manager > Password Checkup” and click on “Check Passwords”.

Checking your saved passwords using Google's Password Checkup feature.
Checking your saved passwords using Google’s Password Checkup feature.

The Google checkup feature is useful because it shows you which sites you might be using the same login credentials for. While the sites above didn’t suffer a breach, it turns out that the saved passwords I had in Google used the same credentials as one that had been breached. Google also lets you know which passwords you’ve re-used and which accounts use weak passwords, try and address all the issues as soon as you can.

Where to report Phishing emails

In the UK you can report Phishing and Scam emails to https://www.actionfraud.police.uk/report-phishing they also have a great page that describes what to do if you’ve received a scam email and what a fake email may contain at https://www.actionfraud.police.uk/scam-emails.

The HMRC has a good page for reporting HMRC scams, you can email phishing@hmrc.gov.uk and they have a page where you can download examples of HMRC bogus emails and contact, and another about Genuine HMRC contacts and recognizing phishing emails.

If it’s a bank phishing email you can usually contact the bank direct, for instance, you can forward emails to Nat West at phishing@natwest.com, to Lloyds at emailscams@lloydsbank.co.uk, Barclays at internetsecurity@barclays.co.uk and to HSBC at phishing@hsbc.co.uk. Action Fraud will contact the banks about phishing emails so you can just report it to them and only contact your bank if you’ve responded to a phishing mail and think your account may be compromised.

If your bank isn’t listed above you can run a web search for “your bank scam email” and you’ll be presented with a few good links and pointers, or (in the UK at least) you can forward it to the National Cyber Security Centre at report@phishing.gov.uk, for the US a similar service is provided by the FTC.

Spotting Phishing Mails

The graphic below shows some differences between a fake and a genuine email from PayPal. The far left image is of the fake email as it arrived perhaps they’re hoping you’ll think it’s from dont.reply.3296@service.paypal.com but that’s one of the “To” addresses.

If you click on the email address, or for the Android Outlook app, long-press the email (1) it should reveal the sender address which we can see in (3) that it isn’t from PayPal. Expect to see a paypal.co.uk (4) or paypal.com address here.
In the “To” addresses (5) you should see your address, there could be more than one (PayPal lets you register up to 8) but they should be all yours, you shouldn’t see other people’s mail addresses here.
Finally, companies you’re registered with such as PayPal will know your details and they won’t use a generic greeting like “Dear Customer” (2). PayPal uses both first name and last name (6) for correspondence so you’ll know they have your details.

Fake and genuine emails from PayPal showing some tell-tale differences to help spot phishing attempts
Fake and genuine emails from PayPal showing some tell-tale differences

You can generally check links by hovering the cursor over them to see the target in the lower left of the browser. For the Outlook app on Android, the same can be achieved with a long press on the link (1). This will show the target (2) which in this case isn’t PayPal. Careful though a short press might take you to the site so if you aren’t comfortable with pressing a link in a suspect mail you can just go direct, a Google search for PayPal login will send you to the correct site (https://www.paypal.com/tc/signin), which at least has www.paypal.com in the URL AND it has the correct spelling, which is important because if it’s even a letter out, it’s not the same site.

Checking the links in a suspect email on an Android phone with the Outlook app
Checking the links in a suspect email on an Android phone with the Outlook app

NB, the https://t.co/ link above is a shortened link from Twitter so the final destination can’t be easily determined.

Mails from “friends”

The last type of mail I’m going to look at is one that looked like it might have come from a friend. I certainly know someone called Susan Brown, but apart from the fact that the email address didn’t look familiar to me (1), the tone of the email just didn’t feel quite right. Whoever sent it certainly knew my name as it was plastered all over the mail but I was sure it wasn’t written by Susan even without checking.

Check with your friends if you get any emails that you’re unsure of, they may need to change their email password as a precaution too.

Image of an en email that looks like it might have been sent by a friend, but wasn't
An email that looks like it might have been sent by a friend, but wasn’t

Once you’ve identified a phishing email

The general consensus about what to do with suspicious emails is

Don’t click on any links – If you have then don’t enter any information that’s asked for, just close the website (close the tab so it doesn’t re-open the next time you open the browser) and then close the browser.

Don’t download any attachments – If you have then don’t open them, just delete them.

Don’t reply to the email

Report the email, either to the relevant organization or to a national organization for your country, like the NCSC (National Cyber Security Centre) or Action Fraud for the UK or the FTC (Federal Trade Commission) for the US.

Delete the mail, you don’t need it anyway.

Do Deal with any issues as soon as possible – if you believe you’ve been compromised by any phishing mails or scams take appropriate action. Contact relevant organizations, change any compromised passwords, and consider running an Antivirus check from a bootable USB, (just make sure you create the USB from an uninfected machine), followed by an online scan from a reputable source such as F-secure, Trend Micro, Norton, ESET or others if you have another preference. For Linux, there are free AV programs such as ClamAV, Sophos or F-Prot, (*F-Prot for Linux is free for home users when used on personal workstations).

Protect yourself by setting up email rules

With email rules set up for whatever mail client you use, you can more easily see if a mail is from the expected sender. For instance, if you create a folder for your eBay messages and then create a rule to send anything from *.ebay.com or *.ebay.co.uk for instance to your eBay folder when it arrives, then anything that purports to be from eBay but turns up in your generic Inbox and not your eBay folder is probably phishing, or at least merits further investigation.

I won’t go into how to set up email rules because the process will be slightly different depending on whether you’re using webmail or a client like Outlook or Thunderbird, but it’s a good first line of defence.

Restrict remote content

If an email contains an image, it’s possible that it’s being used to track whether the email has been opened. The image isn’t sent as an attachment but is downloaded from a server when the email is opened and the information can be used by the sender to track which emails have been opened and where from (geolocation). Marketers can use this information to target ads, or to see which of their campaigns are performing and which ones aren’t, or allows them to know if an account is active or not. An image can even be a single pixel and you might not even be aware of it in the email.

Restricting this content can prevent such tracking. Some email clients block this content by default and you’ll be given the option to “Download Images” in most cases. You can also set up exceptions based on things like the email address of the sender, or the location of the content.

Gmail caches these images for users of their web interface and mobile Gmail apps which helps prevent tracking and geolocation, but if you use a non-Google mail client, then it won’t be using Google caching servers and you might want to consider blocking remote content if it isn’t already.

Restrict return receipts

Some emails may contain a read-receipt request and you can either choose to never send return receipts or set it to ask every time or set it to always send. I’ve set mine to never send, but you can choose different settings for different scenarios. At the very least I’d set it to ask every time, so you know if the sender is asking for a receipt.

Other protection options

I always wondered why the DevOps guys at work had their webcams covered. Now I know, it’s so if you do get a mail saying you’ve been recorded, you’ll know it’s false, even if they have compromised your machine. If you work with a laptop and an external monitor, you can close the laptop screen, and I’ve known people disable the webcam from the BIOS. I usually just go with a clothes peg or even just a piece of paper if there’s nothing else about.

Keep your software up to date. There are programs that will do this for you, or you can do it manually yourself.

Set up 2FA for your online accounts, then if your passwords are ever compromised, you’ll have the security of a second authentication to fall back on.

If you connect to the Internet at a hotel or coffee shop or otherwise use a network connection you can’t be sure of, then consider using a VPN, (if you don’t have a VPN setup to your home router and don’t use a paid service then you could use Cloudflare’s WARP service instead. There’s already an app in the Google Play and the Apple App Store so you’re fixed for your phone, and they’re working on a Windows and MAC app with Linux to follow in the future).

Set your WiFi connection to use your choice of DNS server manually, turn off automatic DNS and point to Cloudflare 1.1.1.1, Google 8.8.8.8, or 8.8.4.4 or even the Quad9 9.9.9.9 service.

Set your browser to use DNS over HTTPS, Google, Cloudflare, and Quad9 should support it as well as the Google Chrome and Firefox browsers.

Consider Sandboxing apps

Sandboxing is the process of restricting the resources available to an application to what is required to run it and no more. Any interaction outside of the sandbox requires some kind of user intervention, or may not be possible at all, making the process more secure.

For Linux, there are programs such as Firejail (but make sure you’re on firejail version 0.9.56.2-LTS or later. I had issues with Firefox not accessing the Internet with 0.9.54. You can still open apps outside of the sandbox but depending on your setup most will probably (with the firecfg config option) run in the sandbox.

Windows has its own Windows Sandbox program as long as you have Windows Pro or Enterprise, for Windows Home users there’s a program called Sandboxie which should perform the same or similar tasks.

MAC uses the macOS sandbox as its sandbox tool.

To cut a long story short, a summary

This blog post covered how to spot phishing emails and check for breaches

It started by showing an example of a phishing email from a protagonist that had information about a known password. The following section discussed how that password may have been obtained and how to know which of your passwords may have been involved in breaches.

The next section suggests where you can report phishing emails and has a few links you can use to further investigate the subject.

This is followed by some examples of phishing emails so you have an idea of how to spot some of the common phishing attempts.

Then there is a list covering what to do, or what not to do once you’ve identified phishing emails, then some suggestions of how to protect yourself further (although not all the tips just related to email phishing).

If you’re a network engineer and you could use an IPv4 subnet calculator (or if you just want the calculator) check out the free Techiedoodah IPv4 excel subnet calculator spreadsheet and if you get a lot of time hands-on rack side and need a tray to put your laptop on, let us know what you think of the Portable Rack Mount Laptop Tray and sign up if you want one. Type with two hands instead of one, be more comfortable, improve your productivity and get out of the server room sooner, (or wherever the rack happens to be).

Techiedoodah blogs are created in the hope that they can help others by giving real-life examples. If this has been useful to you please feel free to leave a comment. If you’re reading this post on the home page, you won’t be able to post comments here, so follow this link to the blog, and then scroll to the comments section at the bottom of the page.

Leave a Reply

Your email address will not be published. Required fields are marked *