Spotting bogus emails

By Martin Edwards

Published March 2017

Email has its origins in US military and academic institutions of the 1970s. Because the network was not public, and its users were inherently trusted, it didn’t need to be secure. Its creators could hardly have predicted that this simple system would survive essentially unchanged into the 21st century and become a key part of our professional and personal lives.

Simplicity, openness, and the fact that it is free remain some of email’s greatest strengths, but they also leave it open to abuse. We’ve all faced the challenge of trying to identify whether or not an email is genuine, knowing that a bogus message could lead to identity theft, loss of money, or damage to our computers. Luckily, with a little knowledge, you can protect yourself well from these threats.

Safety first

In the past, vulnerabilities and poor software design choices made it advisable to not even open suspect messages. Thankfully, nowadays, the chance of damaging your computer by merely viewing a bogus email is extremely small.

Instead, the dangers lie in:

Check the From address

A simple email consists of a To address, From address, subject and body. It’s easy to spoof the From address; in other words, anyone can send a message purporting to be from any address they choose, including nonexistent addresses. This might sound like an unforgivable shortcoming of email, but the postal service is no different: I can write you a letter and put someone else’s address under ‘return to’ on the back of the envelope. So bear in mind that, for example, a message ‘from’ support@google.com may not really be from Google.

The good news is that many bogus email senders don’t spoof the From address, or spoof it to something that’s a blatant giveaway that the message isn’t genuine. This is perhaps thanks to the increasing adoption of systems that designate certain servers as the only authorised email senders for certain domains; modern providers like Gmail and Hotmail use this information to identify spoofed From addresses and mark offending messages as spam.

So, if you suspect that a message is bogus, check its From address. If the message is about your Amazon account, for example, and the From address doesn’t end in @amazon.com or @amazon.co.uk, alarm bells should ring!

Unfortunately a lot of email software now hides the From address by default, instead showing just a sender name. This is especially the case on smartphones where screen space is limited. Bogus messages almost always spoof the sender name, e.g. ‘Barclays online support’, so you should ignore it and learn how to reveal the From address if it isn’t already shown.

Check the destination of links

To achieve its aim, a bogus email might for example tell you that someone has hacked into your Facebook account, and have a link saying ‘click here to change your password’. But you needn’t click these links blind.

On a computer, rest the mouse cursor over a link – without clicking – to reveal the address to which it leads. It may show in the bottom-left of the window, or in a tooltip next to the cursor. On a smartphone, press and hold your finger on a link to reveal its address. Knowing how to interpret the address will help you decide whether it’s a link to a genuine website or a bogus one.

Here’s a typical address:

http://www.bbc.co.uk/news/health-39217858

As far as determining its legitimacy is concerned, there are only two parts that matter.

First is the ‘scheme’, which is always at the very beginning, ends with a colon, and is immediately followed by two slashes. It should be https: for any site where you enter important information. For less sensitive websites it may be http: although https: is a bonus and a movement is underway to make https: the norm for all sites.

Second is the hostname, which is everything between the scheme and the next slash (or the end of the address). That slash is really important. Look carefully at this address:

http://www.bbc.co.uk-news-health-39217858.martinedwards.co.uk

At a glance it looks like a page on the BBC website, but there’s no slash after www.bbc.co.uk, and the hostname continues, in this case right to the end of the address. It’s an elaborate hostname that in fact resolves to the server that hosts martinedwards.co.uk. There I could put a page mimicking the BBC article but with a side helping of malware.

The key is to read a hostname backwards from the final slash – or the end of the address, if there’s no slash – as it’s the right-most part that gives it away.

Finally, it’s important to note that a link may be made to look like an address that’s different to its actual destination. Hover your mouse over the following example (or long-press on a phone or tablet) to see what I mean, or click to see where it takes you (it’s harmless, just not what you’d expect):

http://www.bbc.co.uk

Check for bad spelling and grammar

A final sign that a message is bogus is bad spelling and grammar. In the heat of the moment it may be easy to miss, and yet often it’s the most obvious clue.

For example, Apple is unlikely to write its name without a capital letter in an official email. And Yahoo isn’t written Yah00.

My customers regularly forward me suspect messages, asking if they’re bogus, and of those that are, almost all contain simple giveaways like this. So don’t panic, and check the text of the email carefully.

Of course, a genuine sender may make a spelling mistake, and conversely, a scammer may write a message perfectly! So there is no hard and fast rule here.

Need help?

I’m a computer technician and tutor serving North Oxford, Kidlington, Woodstock and the surrounding villages. Visit my home page to find out more and get in touch.