At Cybertrace we’re often asked how to investigate phishing along with their associated emails, websites and scams syndicates. It’s a red hot topic these days due to the prevalence of phishing. According to Scamwatch, Australians have made 108,600 reports of phishing in the past 12 months. These are only the cases that were identified and reported, and it could be safe to assume that the real figure is significantly higher. As many of you will know, phishing is a primary method for hackers to gain unauthorised access to systems and data. The offenders range in technical capability and ingenuity from school kids testing their newly formed skills to highly capable state-sponsored professionals.
This increase in phishing attacks is consistent with global trends where phishing has reportedly reached its highest levels since 2020. Further, phishing attacks in Australia have become more sophisticated and often target specific industries such as finance, healthcare, and small businesses, which are considered more vulnerable to these threats.
In this blog, we’ll guide you through the essential steps to investigate phishing emails effectively.
What is Phishing?
A phishing email is a malicious email whose sole purpose is to trick the receiver into providing sensitive information such as login credentials, credit card numbers or other personal information such as location. The emails often appear to come from trusted sources such as government agencies, well-known companies and service providers. In many cases, the email is so well designed that it takes a professional to confirm their malicious intent. Unfortunately, the speed at which phishing email content is modified and advanced, it is difficult for anti-malware to keep pace and detect high-level phishing attacks.
The most common methods to deploy phishing attacks are websites, email, SMS, WhatsApp, and other messaging-based apps and phone calls.
The following steps will assist you to identify and then investigate the phishing attack.
Step 1: Examine the Email Address
The first step in investigating a phishing attack is to identify the source and confirm that it’s legitimate. For example, phishing emails often come from addresses that look similar to legitimate ones, but they have slight differences, such as an extra letter or a slightly different domain name. Make sure to check the full email address, not just the name to make sure it’s from the legitimate domain name ([email protected], and not [email protected]).
Step 2: Check for Suspicious Links
In most circumstances, phishing will include links in the content for you to click and this is where the danger starts. Once you click the link, a range of malicious events will likely result. This could include being sent to a linked phishing website, download malware or expose your IP address and location.
To investigate the potential for phishing, check the URL and see if it matches the purported sender. In the above example, it would be anz.com which is the legitimate domain for the ANZ bank. If it doesn’t match, be very cautious. Even if you’re running reputable anti-virus software, this is not a guarantee that the danger will be detected, especially if it’s custom-built malware.
Cybertrace recommends using our scam domain detector to identify risk associated with a domain. It’s a free tool and although it’s not guaranteed to detect risk, it’s pretty damn good at identifying it. You can find it here:
Step 3: Look for Unusual Language or Requests
Phishing content usually involves a level of urgency to pressure the receiver into moving to the next stage without giving enough time to consider risks and look for red flags. This is often a reg flag in itself and something that needs to be front of mind when inspecting messages, emails or websites. Although ChatGPT and other generative AI tools have made it a lot more difficult to detect phishing due to its ability to create natural sounding content, the formatting combined with the context and content needs to be considered for identifying phishing.
Step 4: Inspect the Email Header
Email header analysis contains valuable information about the email’s origin, including the server it was sent from and its route to your inbox. It can be a daunting task and is definitely not something that a novice should rely on for investigating and confirming phishing emails. However, there are a number of quality online tools that can assist such as if you decide to try it: MXToolbox https://mxtoolbox.com/Public/Tools/EmailHeaders.aspx
Although online analysis tools are great, they do often give false positives. The below example of a false positive is from a legitimate email received from one of Cybertrace’s suppliers where the DKIM Authentication failed which in this case is due to Amazon Webs Services (AWS) being blacklisted by a blacklisting authority. It’s highly likely that this was due to automation and misuse by one user. It’s not a genuine concern or confirmation of phishing in this case.
If you’re unsure how to interpret the header, consider seeking professional assistance from experts like Cybertrace.
Step 5: Verify with the Organisation
If after examining the source of the potential phishing and you are not sure of the legitimacy, contact the sender by phone (not email or SMS) and confirm the legitimacy of the email.
With payment redirection (business email compromise) scams, they are a refined version of phishing where the majority of the communication is legitimate, but the scammer has altered the financial information in the email and the receiver unwittingly pays the scammer and not the intended person or company.
Payment redirection attacks occur when cybercriminals intercept email communications usually from businesses to individuals. These individuals usually pay an invoice or receive deposits from real estate companies or conveyances. This can lead to severe financial and emotional stress for buyers and sellers alike.
When investigating the potential for payment redirection as part of a phishing attack, if you’re unsure whether your IT systems including email inboxes have been compromised, we firstly recommend contacting the payee via phone (not email or SMS) and confirming the legitimacy of the email and the payment details. The next step is to check if you or the payee are known to have been compromised (login details leaked on the dark web), do a search by using this website: https://haveibeenpwned.com/.
If there is no indication of credential compromise but if you still have suspicions, contact Cybertrace. Although ‘Have I been Pwned’ is an excellent and reliable resource, it doesn’t access live data unlike Cybertrace. Using our technology, we undertake live searches and scour the dark web using AI tools to identify breaches. Often, we identify breaches that have not been published on Have I been Pwned.
Step 6: Report the Phishing
Reporting phishing emails is crucial in helping authorities and experts combat these scams. In Australia, you can report phishing emails to the Australian Cyber Security Centre (ACSC). Additionally, consider reporting the incident to your email provider and the organisation the email is impersonating.
Step 7: Consider Professional Investigation Services
If you are, or suspect that you are dealing with a complex or targeted phishing attack, it may be wise to consult professionals. At Cybertrace, we specialise in investigating phishing emails helping you to uncover the source of the scam.
Our team uses advanced techniques and tools to trace the origins of phishing attacks (including websites), identify offenders and assist in preventing future incidents. Don’t hesitate to contact us for expert advice and support.