Recognizing Malicious E-mail

Summary

This article illustrates various ways users can recognize potentially malicious e-mail, which is a common form of social engineering.

Introduction

There are many different types of malicious e-mail sent throughout the world on a daily basis with the purpose of luring recipients into opening virus-infected attachments or clicking on poisoned links designed to either install malicious software or gather private and personal information.  However, there are some common things e-mail users can see in these types of “phishing” e-mails which can remind them to be cautious.

The below illustration — an actual e-mail received by a campus user — shows 10 things to notice when receiving unsolicited e-mail which may indicate the message is malicious.  The indicators are numbered for easy reference.

Here is what is significant about each item:

  1. First of all, the recipient does not know this person and, though other aspects of the e-mail try to imply it is a college employee, there is no one working at the college with this name.
    • Second, the person’s name is shown in last name, first name order.  While it is possible some e-mail systems may use this convention (Bellevue does not), most e-mail systems display the sender’s name in standard first name, last name order.
  2. This “unit” is listed here in a manner intended to convince the recipient it came from someone on campus, but Bellevue College does not have a unit with this specific name.  However, we do have one that goes by the various names “Early Learning Family Childcare Center”, “Early Learning Center”, or “Childcare Center.”
    • It can be difficult to recognize the names of all units on campus, but the point is to be aware that even though something in an e-mail may look “official”, you should still be suspicious.
  3. This is the easiest indicator that this is a bad e-mail. While the text of the e-mail implies this information came from within the campus, this e-mail address is not a Bellevue College e-mail address.
  4. It is a rare occurrence on campus when an e-mail is sent to both employees and to students at the same time.  However, this salutation was added here like this to imply that this communication is somewhat official.
    • In addition, when the text of an e-mail identifies that YOU, as an individual have a problem, but it is addressed to a GROUP of people, something is fishy (or phishy…)
  5. Login accounts or e-mail accounts can be compromised, but because web-based mail on this campus is directly tied to your e-mail, your “webmail” account alone could never be “compromised”; it doesn’t exist as a separate entity.
    • If this were an authentic e-mail sent by the Help Desk, we would use the terms “NetID”, “login”, or “e-mail” to describe your account.
  6. Any direct request in an e-mail to “click the link” or to “validate your mailbox” immediately shows that mailing is not authentic.
    • Information Technology Services (ITS) technical support personnel would NEVER ask you to do this in an unsolicited e-mail.
  7. The URL or web address the e-mail would like to convince you to click is not a Bellevue College web address.  This can be tricky to detect for a couple of reasons:
    • Sometimes the displayed address is not the real address, which is actually “underneath” the link, so even one that looks like it is a BC site could be falsified.
    • Sometimes non-BC sites ARE now being used by campus units to conduct official BC business.  The bottom line is simply to never to click a link unless you are absolutely certain it is authentic (meaning you verified it with the sender through a means other than e-mail).
  8. The repetitive text in the body of the e-mail is used to help persuade you that clicking on the link is important—after all, it is mentioned twice, isn’t it?
    • This is a psychological ploy that is frequently used in malicious e-mail to reinforce the importance of doing what the malicious sender wants you to do.
  9. The sender’s “signature” is also in last name, first name order.
    • Very few people use this convention in real signatures, so this is another indicator that some sort of automated phishing database was used to generate both the fake sender name at the top and this fake signature.
  10. The subject line is an interesting problem because it is actually very close to the type of subject line that the college’s automatic notification systems may use.
    • Sometimes the subject line will be indicative of a malicious e-mail, but sometimes (as in this case) it may not.
    • However, it is important to notice that one right thing in the e-mail does not negate the nine things obviously wrong with it.  Again, always be suspicious.

It takes some effort for users to do their part to help keep the college’s technology working appropriately, but if you take the time to critically look at e-mail, you can save yourself and the college from the kinds of difficulties caused by falling for these types of malicious e-mails.


Further Information

If you need further information or assistance with e-mail or any technology resource on campus, please contact the Technology Service Desk (x4357).

Details

Article ID: 23794
Created
Fri 1/27/17 4:54 PM
Modified
Wed 1/9/19 1:04 PM