Identifying a Phishing Email

Phishing emails frequently have identifiable traits that can give you clues if the email is phishing or legitimate. The number one most important signal is that you were not expecting this email and don’t know the sender. In this case, it is considered safe to presume it is not legitimate. However, if you’re still uncertain or it looks like it might be from someone you’ve communicated with before, look for these red flags:

• Details of the email’s purpose are vague.

• The sender does not directly name the recipient (you).

• There are spelling/grammatical errors.

• There is a time-sensitive “action” they want you to perform. Example: a link that expires in 24 hours or a form that must be submitted by the next day.

• The sender is asking for money, or for a purchase to be made.

• There are links to Dropbox, Google Drive, or other free cloud file hosting services that are not linked to a domain such as otc.edu.

• The sender doesn’t provide a fully detailed signature with their full name, email address, and/or phone number.

• The email appears to come from an OTC user or email address, but is flagged by Office365 as coming from outside the company:

Open

Red Flag - Email and Display Names

Most email clients, including Outlook and the Outlook Web App, will show a display name as well as the email address in the email header - the top part of the email that contains the display name, email address, subject line, and timestamp of the email.

Example - An email header from outside OTC (legitimate):

Open

In this case, the display name is Atlassian Community and the email address is shown in brackets: info@e.atlassian.com.

You can also click Forward on the email (for informational purposes) and the header will be shown in a more practical format:

If you receive an email where the display name is someone you know, or from an organization you do business with, but the email address isn’t from the domain where they work or is different from previous emails they sent (especially from free email services such as Gmail, Yahoo, or a foreign country extension such as jmail.jp or mail.ru) this is a display name spoof. Please treat it as malicious.

Example - a phishing email. The email address shown (cyh11241@lausd.net) is not reasonably a Microsoft or O365 domain:

Conversely, keep an eye out for email addresses that appear to be legitimate, but do not match the display name convention of the company. For example, OTC display names are as follows:

Normal display name format: LYONS, KIMBERLY [lyonsk@otc.edu]

Illegitimate/Malicious actor: Kimberly Lyons [lyonsk@otc.edu]

The malicious display name has a seemingly correct email, but the wrong display name format - this is also a case of spoofing.

Red Flag - Links Within Emails

By now, you’ve heard everyone say “Don’t click on links in email unless you’re sure it’s real!” This is correct.

So if you’re not sure if the email is legitimate, how can you tell if the link is legitimate to tell if the email is legitimate?

It sounds like a catch-22, except here’s a trick! If you hover over the link, most email clients and web email applications will show you where that link goes without you clicking on it.

In this example, the URL suggests it should go to an adp.com address, but the link actually goes to goldenangelspa.com.

You might also see very long mouseover addresses that look like this:

This means Office365 ATP Safe Links (a threat identification protocol) is in operation on this link. Think of it as Office adding a redirect link to the original link so, when clicked, it gets redirected to a service that scans this link to see if it has been reported to Microsoft as malicious. If it has, you’ll then see a warning page:

If it has not been previously identified as malicious, it will then redirect you forward to the original link. This service is useful, but not foolproof, and should not be relied upon.

Identify a Legitimate Sender or Business

Here are some tips for identifying if a sender or the business they say they’re with is real:

• Identify the domain of their company.

  • The domain would be something like otc.edu or copyproductsinc.com. Most businesses strive to have a uniform website and email service domain.

    • Please note that very small businesses may still use free or unbranded email services like Gmail.

• Do a Google search for that company name and see if the domain matches their company website.

• If their company has a “Meet our Team” or a public-facing directory, see if the person from the email is listed.

Reporting Malicious Emails Using PhishNotify

If you’ve decided an email is spam or phishing, the easiest way to handle it is to use the PhishNotify Outlook plugin.

Outlook Desktop Application

• With the suspicious email open, find the Submit Email button on your ribbon (the red fish icon):
  
  

• A panel will pop up on the right-hand side. The email will be scanned and then reported:
  
  

• Once the scan is complete, click the Move to Junk Email button on the panel.

This will notify our team of a reported suspicious email and we will investigate it. You will receive an email confirmation when we begin investigating:

Outlook Web Application

To report phishing emails on the web version of Outlook:

• Open the suspicious email.

• Click on the red fish icon in the email header (it may also be inside the 3 dot “More actions” menu):
  
  

• A panel will pop up on the right-hand side. The email will be scanned and then reported.

• Once the scan is complete, click the Move to Junk Email button on the panel.

If you need further assistance, contact the Help Desk.