Anatomy of a phishing attempt

This morning, I received an e-mail which the various spam/mail filters managed to miss.  With only a passing glance, I recognised this as a phishing attempt, and nearly gave it no further thought.  However, being on an iPhone, the “from” address field had been truncated (to appear as “AppleStore@apple.e…”:

photo

After a quick think, I decided that this would be worth a bit of a write up – for those who might potentially get caught out by this kind of thing.  I forwarded the e-mail to a GMail account, so I could get a better view of the whole e-mail:

mail

Which brings us to…

Anatomy of a phishing attempt

Why don’t we have a look at this particular e-mail and decide why you shouldn’t fall for it?  Let’s do it by the numbers:

1. Sender address

Although you can’t see it by default on an iPhone, the full address of the sender is listed as  AppleStore@apple.email.customers.11.com.au”. 

Note how it doesn’t originate from an “@apple.com” domain?  Anything official will likely come from an apple domain or sub domain (like @customers.apple.com).  The important part are the words to the far right – immediately prior to the domain extension (.com, .net, .org etc.).

Note that some phishing attempts can appear to come from legitimate sender addresses, so this alone shouldn’t be replied upon.

2. Subject line

The e-mail’s subject line is: “Billing Information Update !” notice the extra exclamation point at the end?  Nearly always, official corporate e-mail will omit any superfluous punctuation marks, like this.

3. Introduction

Although not always a rule, an e-mail like this would usually be personalized.  In this case “Dear Apple Customer” is vague and impersonal.  If they have access to your account details, they’ll known your first and last name, not just your e-mail address.

4. Body text (A)

You might not be a scholar of the English language, but this e-mail ought to feel disjointed, from a grammatical point of view.  Official corporate e-mails have almost certainly been reviewed by a legal team and would very rarely contain any broken or inaccurate English.

“It has come to our attention that your account Billing Information records are out of date.

That requires you to update your Billing Information.”

The second “floating” sentence isn’t correct, another indicator of a phishing attempt.  The e-mail also isn’t formatted with Apple’s corporate colour, style or logo which may or may not mean something.

5. Body Text (B)

Given customers are a good source of income, it is HIGHLY unlikely that anyone is going to close a customer’s account due to stale data. 

Thus the claim “Failure to update your records will result in account termination.” is almost certainly a bogus threat, aimed to alarm the reader into swift (and unwise) action.

6. The Links

The links in the e-mail do not go to an official domain name.  This is another key aspect, enticing users to another website which may even look exactly like the real website, but is built to capture your sensitive information, such as your account and password. 

Don’t trust links in these emails (even if they look legitimate), go to the official website yourself if you want to verify your account information, or get in touch with the company in question.

7. The Footer

Most legitimate corporate e-mail (as well as official Government e-mails) usually contain footer text with legal disclaimers.  In this case:

    Forget your password? Click here If you have any questions about our privacy policy, click here to contact our customer service center. We hope you found this message to be useful. However, if you’d rather not receive future e-mails of this sort from DHgate.com, unsubscribe here. Please note that product prices and availability are subject to change. Prices and availability were accurate at the time this newsletter was sent; however, they may differ from those you see when you visit AppleStore. Copyright Notice © 2004 – 2013 Apple All rights reserved.

The links, again, do not go to legitimate domains, and in fact the “unsubscribe” link even references someone else’s e-mail address.  Classic.  There’s even a mention of “DHgate.com” which has nothing to do with Apple, it looks like they skimmed the footer of a newsletter!.

Summary

Applying a small amount of cynicism when receiving alarming emails will help you avoid being the victim of phishing attempts.  Always ask yourself if you trust the source of the email and whether or not the email appears to be legitimate.

This was a very poor phishing attempt, there are others which are more sophisticated, but all of which would not pass the validation I’ve listed here.

Warning Signs

If it doesn’t display well (like on an iPhone) forward the message to another e-mail account and take a look on a larger screen. 

Worst case scenario, get in touch with the company in question using their official website or contact phone numbers.

Please pass this along to any friends or family who you think could benefit from these tips.  Together we can defeat scammers and phishing attempts.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.