Spam (unsolicited bulk messages) and phishing (obtaining privileged information by masquerading as a trustworthy entity) have become a part of everyday life for anyone who uses email for personal or business communication. Cyber-criminals behind spam and phishing messages have been perfecting their craft for decades and, as a result, it is often difficult to distinguish spam from legitimate emails. Some observational techniques could be helpful and a number of services exist to assist with verifying reputation of various websites and phone numbers, which can be used to gauge the validity of a received email.
While the sender address is a good first indication of
whether an email message is legitimate or not (for example, an email
that claims to be from AMEX, but was sent from “firstname.lastname@example.org” is
almost certainly malicious), but it is worth noting that sender address
is very easy to fake (aka “spoofing”). Just like the return address on
“snail mail”, the sender information is provided by the sender himself
and, in majority of cases, not verified by the email server. Do not rely
on the sender address alone for validating the identity and validity of
The goals of a spam or phishing messages will usually boil down to one of the following:
1. Getting you to click a link in the message
2. Getting you to open the attachment in the message
3. Getting you to call a number and provide information
4. Getting you to reply to the message with requested information
Generally, if you have any doubts about the origin of the message, it
is best not to do either of the above. However, if you do think that the
request may be legitimate (again, keep in mind that spammers are
getting very good and making you think that, that is their 'bread and
butter'), here are some tips on how to attempt to verify each of the above
before you proceed.
How to check if something is malicious
Links/Websites: following free services
will let you copy-paste the link from a suspect email message and check
the validity/potential risk rating of that link:
- this is a “peer review” site, where site’s ratings are contributed by
other site users; so if Bob and Alice say that a site is bad and Jim
later goes to check the site’s rating – he will see the previous
negative feedback. Anybody can review the site and the service offers a
free browser plugin to automatically alert against visiting sites with numerous negative reviews.
- this is a service that is very similar to the one above in functionality but is now offered by McAfee.
All site reviews are provided by McAfee staff (however, individuals can
submit their recommendations on suspect websites). This service also
offers a browser plugin for automated website and search validation.
– free service now owned by Google, which will check the site’s
reputation against 51 different reputation services, similar to the ones
listed above. It will not show any details on the reputation, but will
provide a summary judgment as to whether it could be trusted or not. There is also a section for users to leave comments on each of the URLs but it doesn't seem to be as popular as the MyWOT one.
Same service offers antivirus scanning for attachments, but more on that
Files/Attachments: following services will let you
upload a file to be scanned by an antivirus, other than the one that is already
(hopefully) present on your computer. You can save a copy of the file to a folder on
your computer and upload it to be scanned from there; do not double-click/open the file
and always use your local antivirus to scan the file first. Please note
that personal/sensitive data should not be uploaded to third party
services, as there is no telling what might happen to that file after it has been scanned.
– service owned by Google which will let you upload the suspicious file
or email attachment, to be scanned by 46 different antivirus programs.
Antivirus programs are only as good as their signature definitions and
often one or two of them will be able to detect a certain virus variant
before everyone else creates a signature for it. This lets you make sure that none of the antivirus
vendors think the file you’ve received is malicious.
– another service similar to the one above, which will scan an
uploaded file with 42 different antivirus programs. All the same
limitations apply, but the permitted file size is slightly higher.
Please note that just because an antivirus does not detect a virus in
the file, it doesn’t mean that it isn’t there. Antiviruses can generally
only detect malware that they are aware of, and a new variant, or a variant
encrypted in a password-protected ZIP archive, for example, will not be
detected. Be extra vigilant if files are sent to you in
password-protected archives, this is a common technique used to bypass
Phone Numbers: confirming phone numbers can
be tricky because a large number of websites offering phone number
reputation services are “commercialized” and require you to pay for the
information. So far only the following website, using information provided by other users, has been free and consistently accurate
with identifying suspicious phone numbers:
- website similar in functionality to MyWOT, where users are able to
contribute their experiences with a certain phone number to an overall
number review page. Keep in mind, that while this can be used to
validate phone numbers included in an email, one should not rely on it
for phone numbers on received calls. Similar to the sender address on
email messages, caller phone numbers can be easily spoofed to masquerade
as any other number and this is a technique often used for social
In conclusion, you should always avoid clicking links or opening attachments in emails that you did not expect to
receive, even if they appear to be sent by someone you know. Even the most legitimate-looking messages may be phishing for your
sensitive information, to be used for identity theft or further attacks
against you or your organization. If you do believe that a message is
legitimate, or you have any doubts about it - double-check using one of the above reputation services before acting
on anything requested in said email. Good luck out there!