How to identify the phishing email

by Nick Evans | Mar 28, 2017 | Articles

I was wondering how to broach the subject of phishing while attending a Thought Leaders dinner at the Cavalry and Guards Club in London this week – a club steeped in English history from Wellington, to Waterloo and Napoleonic wars – a fitting place to discuss the topic of the day – cyber warfare and cyber crime, with my peers. I was, at that time, rather in a quandary as to how I might succinctly relay information on phishing in such a way as to be both relevant and potentially of interest to all.

Thankfully, one of the stories relayed during the course of that event was highly relevant, giving a very pertinent example of Phishing in action and I resolved to relate it here.

It involved a case where a book-keeper for a medium-sized company received an email from a supplier requesting its bank details be updated forthwith. The bookkeeper, with the best of intentions, updated the bank details for the supplier and proceeded to pay amounts against weekly invoices received into the updated supplier bank account. It was six weeks and £250,000 later when the supplier contacted the company to ask why their invoices were no longer being paid.

It transpired that the original email from the supplier asking for the bank details to be changed was in fact what is known as a phishing email. For all intents and purposes it looked like it was from the supplier, contained the supplier logo, seemed to be from the accounts department of the supplier, all seemed in order. However, in fact it was from a cyber criminal intent on stealing funds from the company via a set of duplicitous actions – a veritable cyber criminal at work.

The upshot of the matter was that the company had no recourse through either bank, law or supplier as the perpetrators were long gone and had covered their tracks as one might expect – leaving the company, not the supplier, to pick up the £250,000 cost. The company was also not covered by cyber security insurance – but that is a story for another day.

There are many such accounts of similar events circulating where targeted (also known as spear) phishing emails, many of which involve correspondence that appears to come from the CEO of the company, instructing that funds are urgently required and should be paid directly into an account as provided within the email. These also result in significant monetary loss.

But there are many more ways to be caught out by phishing emails – either at enterprise level or as individuals.

As luck would have it, and showing how prevalent and relevant phishing really is today, I can relate one of my own most recent experiences. When collecting my 21-year-old son from work here in Cardiff, he was very excited as he relayed that on that very day he had received an email from Her Majesty’s Revenue and Customs (HMRC) office – the UK tax office, stating that he was due for a refund of some £600 on income tax that he had paid this past fiscal year. Fortunately, as with a lot of youngsters living at home today, it is always easier to ask Mum to fill such forms. So he had done nothing about it but was asking if I could ‘help’ him (meaning would I do it!). The first thought that sprang to my mind was that it was too early for such correspondence to be sent – one would not expect this type of correspondence until after April 6, when the new tax year begins. This rang alarm bells with me and I informed my son that it was likely a scam (phishing) email aimed at gleaning his bank details in some way or some such other scam. My son, as all 21 years here in the UK are wont to be, was at first skeptical and quite adamant that it could not be a scam as the email looked very official – it had the HMRC logo, the email address stated that it was from HMRC – and so how could it be a scam. On further investigation, my initial fears proved correct and I was able to teach my son what to look for in a phishing or scam email.

So here’s what I deduced from the email itself. Firstly the salutation was incorrect – the email was addressed as follows: ‘Dear [email protected]’. No Government department would address an email in such a way – it was an offence to English language. Second, there were a number of other spelling and grammatical errors, a letter missing here a typo there. No bonafide Government department would send a missive with such glaring mistakes. These initial telltale signs led me to investigate further. Thirdly, the email was asking for my son to provide details for the refund by way of an online form – thankfully my son had not yet clicked on the link. No Government department would require any person or organisation to provide such information outside of a secure environment. Indeed as an enterprise, there is a three-factor authentication process that includes two separate emails and a physical letter delivered to the registered address before you can register for any such online Governmental service here in the UK. Normally, when viewing such an email from my laptop I would hover the mouse over the link to ascertain where exactly it was leading to prior to clicking. This is always good practice. Be very careful as often all is not how it may first appear. However, as we were on my son’s mobile there was no way to do this. Finally, the display name stated that the email was from “Refunds at HMRC”. I double-clicked the email address to display the actual email address as opposed to the display name and could see that in fact the email came from a gMail account – not an email address as the display name seemed to indicate.

So my advice for this week is: when opening emails, be suspicious, be very suspicious, even if it looks like it is from someone you know. If you receive an email that is asking for a change that affects your finances or that of your company, STOP! THINK! CHECK! Check it out thoroughly before you act upon it or click any links.

DO check the email address by double clicking on the display name. DON’T click on any of the links in the email until you are sure it is from someone you know and even then check to see where the link will take you before clicking – you never know if your colleague’s email account has been hacked. DO hover your mouse over any links contained in the email if you can but be wary of web addresses that look similar to the real thing e.g. and look very similar; look very carefully at those web addresses and you will see the difference – these are known as confusables, where combinations of characters look similar to other characters. DO read the email for initial telltale signs, such as spelling and grammatical errors and other signs, that it is not the usual type of message you expect to see from that person or company. If in doubt, ask for a second opinion.

Stay safe, stay secure!