Anatomy of a Phishing Email

I received an email today which was purporting to be from Apple Support telling me that my AppleID had been locked.

This email was quite similar to other emails that I’ve received from Apple it had an Apple logo on it and the fonts were all Apple, but this email had a number of giveaway signs that it wasn’t what it purported to be. All I had to do, all you have to do, is look for them.

These emails are deliberately structured to get us to react within the first few seconds before our rational mind has kicked in. What we have to build is a reflex that says “what?”, our rational brain will then wake up and start to point out the things we should have seen in the start and there were quite a few of them in this email, things like:

Email Subject

AppleID-Subject

The subject of the email makes no sense. It doesn’t even relate to the issue within the body of the email; “New Statement Updates” a statement, about what? “login from other browser in Denmark” isn’t English and everyone knows that you don’t put a space before an exclamation mark.

Email Sender

AppleID - Sender.png

The sender of this email claims to be service@apple.com, but outlook.com does a reasonably good job of showing that this is just a front. The real sender of the email is something radically different.

This message is from a trusted sender?

ApplID-TrustedSender.png

There’s a poorly created graphic at the start of the email that is trying to mimic something that outlook.com does, but it’s clear it’s a graphic and not a very good one at that.

 

Text Inconsistencies

AppleID - Footer.png

There are a whole set of inconsistencies in the text that is presented. The most obvious is in the footer where there is underlined text that would normally link somewhere, but no links have been included. The creators of this email don’t want you going off elsewhere.

There’s another reason for this, it’s an attempt to circumvent the SPAM filters. Emails with multiple embedded links are treated more suspiciously.

The text of the email as a whole, once you read it, should also raise suspicions. The English isn’t great, including basic things like capitalisation and repetition.

The first line is as far as you should need to read:

someone else enters your password, security questions, or other account information incorrectly too many times, your Apple ID automatically locks to protect your security and you can’t sign in to any Apple services.

“someone else enters you password”?

This doesn’t take any special skill it takes reading and suspicion.

Misdirected Links

AppleID - Link.png

The text of the email then invited me to click on a link that said it was to iforgot.apple.com. This is the primary purpose of this email – getting me to click on this link.

iforgot.apple.com is the right place for me to go to resolve any issue with my AppleID, but the link associated with this text isn’t to apple.com it’s to somewhere else which I’m sure will look a lot like the apple.com account page, will ask me for all sorts of details and pass them on to a number of individuals who’s purposes will be less than friendly.

I have clicked on the link, and although the outlook.com SPAM filters let the email through the link checker told me that the link was unsafe and advised that I go no further.

It’s also worth noting that the text is written without the https:// at the front of it to try and circumvent the spam email filters.

But that’s not all.

No Apple ID

The ultimate give away for this email being a phishing attack is this – there is no Apple ID associated with the email address that this email was sent to.

Conclusion

Every time you receive an unexpected email you need to learn to say “what?” and in so doing trigger your rational brain to think. Once you start thinking you can often avoid future heartache.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.