Recognize Fraudulent E-mails

Contents

• General
• Simple identification signs
• • No business relationship with the sender
  • Request to disclose data
  • Urgency of action or threats
  • Unusual request
  • Common situations
  • Sender address does not match the alleged sender
  • Sender information is vague, inaccurate, or false
  • Links do not match the alleged sender
  • Similar fake domains
  • Missing or unusual salutation
  • Inappropriate text or characters in the subject or body
  • Spelling or grammatical errors in the text
• Technical identification features
• • Internet addresses are unusual or obfuscated
  • Using Unicode characters
  • Sender in the headers is incorrect
  • SPF, DKIM and DMARC failed

General

Scam e-mails refer to all types of fraudulent e-mails. Phishing e-mails are a subtype and aim to obtain information from the recipient, such as their personal data, passwords, or credit card details.

This article explains the key identifying features of fraudulent e-mails.

Basics for handling suspicious e-mails

Banks and other companies have their customers' data and know who they are sending an e-mail to. Therefore, you will usually find a personal greeting in the e-mail. Most importantly, they do not ask for personal information—since they already have it from their customers. Sending personal data to an unknown recipient can lead to identity theft.

Fraudsters often fake the appearance of e-mails and websites of alleged banks and companies. Images and some links may point to the original website. Therefore, all links should always be checked carefully.

Inquiring with the alleged sender may provide clarity. However, do not use the phone number or link from the e-mail in question.

Links in suspicious messages should not be clicked, nor should attachments be opened.

Suspicious messages should be viewed in plain text mode, as this reveals many signs of fraudulent messages.

Simple identification signs

Signs of a suspicious message include:

• There is no business relationship with the sender
• A request to disclose data is included
• The alleged urgency of the transaction is emphasized or a threat is contained
• The message contains an unusual request
• The content corresponds to common facts in scam e-mails
• The sender's e-mail address does not match the alleged sender
• The sender information is vague, inaccurate, or false
• The links (URLs) do not match the alleged sender
• The domains differ in spelling or have easily overlooked errors
• Missing or unusual salutation of the recipient
• Inappropriate or off-topic text or random characters in the subject or body
• Spelling or grammatical errors in the body

The individual points are explained in more detail below.

No business relationship with the sender

The sender has no business relationship with the recipient.

Fraudsters also send messages on a whim, without knowing the recipient's actual bank or internet provider. They simply use very common banks or providers as senders.

Therefore, you should first check whether you are actually a customer of the company in question and whether the message could even be relevant.

Request to disclose data

The recipient is asked to disclose their personal data, user information, and bank or credit card details. The data must be submitted either via e-mail or by entering it on a website.

Urgency of action or threats

The message emphasizes the urgency of a specific action and threatens serious consequences if the recipient does not act immediately.

This can be phrases such as "Your password will expire today." or "Update your information to avoid account suspension.".

Unusual request

The message contains a request that is unusual for the sender.

This could, for example, be a payment order from the managing director to the finance department, even though the managing director usually orders transfers in person or by phone. Security issues with banks and network providers could also be the subject of the message and require the disclosure of data.

Common situations

Fraudsters often use the following alleged situations to unsettle the recipient and entice them to disclose personal information:

• A password has expired and must be renewed to avoid locking the user account.
• Payment information or user information is invalid or out of date and must be updated.
• An attached invoice must be paid urgently.
• Files - such as images or business documents - are available for download.
• The winnings of a usually state lottery are to be paid out to the recipient.
• A refund from the tax office or other government agency is to be paid out.
• A free product is offered, but receiving it requires the disclosure of personal information.
• A donation request from an alleged charity, usually after a Natural disaster or terrorist attack.
• The recipient is offered a job or a position - usually in the financial sector.

Sender address does not match the alleged sender

The domain must match the sender and usually also corresponds to the domain of the sender's website.

Senders are usually specified in the format "Name" <e-mail@domain.example>. Some e-mail clients do not display the address if a name is specified. Using an e-mail address as the name can easily lead to deception. For example, for the sender "service@bank.example" <service@bank.provider.example>, often only service@bank.example is displayed.

Some senders also use the recipient address as the sender address, especially if the message allegedly concerns security issues.

Sender information is vague, inaccurate, or false

Fraudsters usually don't know which provider or banking institution the recipient is a customer of. Therefore, they often omit the exact name of the alleged sender to deceive the recipient. Examples of vague senders without precise company information or addresses include "Network Center, Vienna", "The Support Team", "Your Administrator", or "Customer Service".

Links do not match the alleged sender

The internet addresses (URLs) in the message links do not match the alleged sender.

The links in messages usually lead to the sender's website. Scammers try to conceal their own internet addresses in various ways.

In HTML e-mails, the displayed addresses may differ from the actual linked addresses. The status bar of the e-mail client or the browser in webmail displays the actual address.

Reading an e-mail in plain text view also helps in identifying the actual internet addresses.

The section "Technical identification features" discusses unusual and obfuscated URLs in more detail.

Similar fake domains

Fraudsters sometimes register similar domains to deceive the sender. Characters that resemble other characters are swapped: i and l, o and 0, etc. Hyphens or suffixes can also change the domain without the recipient noticing. For example: "hypo-bank" instead of "hypobank" or "raifffeisen" instead of "raiffeisen".

This applies not only to the domains in the message links but also to the domain in the sender's e-mail address.

The section "Technical identification features" discusses similar domains using Unicode characters in more detail.

Missing or unusual salutation

The personal salutation in the message is missing, incorrect, or unusual.

A formal salutation using only the first name, as in "Dear Mr. Max", is rather unusual.

Sometimes the salutation corresponds to the first part of the recipient's address, e.g., "Good day info, ..." for the e-mail address <info@example.com>.

Another sign of a dubious e-mail is that the sender of the message places their own salutation before their name, e.g., "My name is Mr. Max Doe ..." or "I am Ms. Maxine Doe from ...".

Inappropriate text or characters in the subject or body

Text at the end of a message that doesn't match the beginning of the message is often a sign of an exploited vulnerability in a website. For example, the beginning of the message might be about changing your password, while the end of the message might be a recommendation for another website.

Sometimes random characters, words, or entire passages of text are added to the end of the subject or body. This is intended to make it more difficult to automatically identify the message as spam.

Sometimes incorrectly encoded special characters are also found, e.g., a placeholder in the form of a question mark instead of a German umlaut. This indicates that the sender does not normally send German texts. There are other reasons for this and it should therefore not be considered a sure sign of a fake e-mail.

Spelling or grammatical errors in the text

The text or subject line contains spelling or grammatical errors.

Even if scammers use AI and good translation programs, and the texts are relatively well written these days, you should still be careful. A closer examination of the message is particularly advisable if the wording is unusual.

Technical identification features

Internet addresses are unusual or obfuscated

The actual linked addresses can be viewed in the message source code. They can be found in the href attribute of the a tags. The address to be displayed follows in the link text: <a href="https://LINKTE_ADRESSE/">https://FALSE_ADRESSE/"</a>.

The message can also be viewed in plain text mode to see the URLs used in the text version of the message.

URL shortener services such as shorturl.at, tinyurl.com or bit.ly are often used to disguise the actual address.

Using IPFS URLs is another sign of dubious messages. IPFS (InterPlanetary File System) is a peer-to-peer network for hosting files. Due to the decentralized storage, the website can practically not be removed and always remains accessible. The URL contains a hash value called the Content Identifier (CID) and usually also the name “ipfs”, e.g.: "https://b94d...CID...7hr1.ipfs.dweb.link" or "https://ipfs.io/ipfs/8ed0...CID...k7da" (CID shortened/changed in the examples).

Using Unicode characters

Some letters look so similar to other Unicode characters that the difference is barely noticeable to the naked eye. However, to a computer, they appear to be completely different characters.

This allows fraudsters to register a domain that looks like the domain of a particular company to the recipient, but is technically completely different. Greek and Cyrillic characters are particularly suitable for this.

Here's an example: By using the small Greek letters Nu (ν), Omicron (ο), Alpha (α) and Ypsilon (υ), the domain "voss-bau.example" can create the fake domain "νοss-bαυ.example". Visually, there is hardly any difference, but technically the fake domain is "xn--ss-b-3ld1eo7c.example" (in IDN notation for DNS queries).

When Unicode characters are used in text, it usually remains easily readable for humans. In this example, the letters "I" and "r" were replaced, among others: Ī am a pŗofessional ҤaCkeŗ and successfully hacked youŗ opeŗating system.

Further signs of fraudulent messages can be found in the article Spam Mails in the section The tricks of spammers.

Sender in the headers is incorrect

The sender can be verified in the delivery notes in the headers (Received lines).

Further information on reading and understanding headers, especially the Received lines, can be found in the article Understanding E-mail Headers.

SPF, DKIM and DMARC failed

The headers may also contain information about automated tests performed by the mail servers involved in delivery.

Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) are designed to prevent the sending of messages with a forged sender address or to detect such attempts.

The header names may vary depending on the operator; here are some examples:

Received-SPF: fail
X-Spf-Fail: Yes
X-Dmarc-Test: Reject

The results can also be found as part of the "Authentication-Results" line:

Authentication-Results: host.example.com;
 dkim=pass ...
 spf=pass ...
 dmarc=pass ...