Featured Image

7 Hidden Ways that Phishing Emails Reveal Their Motives

The most deceptive phishing emails are getting more and more convincing over time.  Especially spear phishing emails that contain contextually-relevant cues that subconsciously lead us to believe that we're interacting with a person or organization that we know and trust.  But, there are some hidden secrets to sniffing out most phishing emails -- stopping them in their tracks.  Read on to learn more.

Phishing Email Senders - Hidden Factors

Let's start by looking at hidden details relating to the phishing email sender.  There are a number of subtle ways to discern additional confidence-building (or, confidence-eroding) factors about the sender.


SPF is a way that domain owners can specify the email servers that they use for sending emails that are legitimately from the domain.  When a recipient receives an email purportedly from the domain, SPF provides a way to second-guess the surface-level claims that the email makes about it's origins.  With SPF, the recipient's email service can compare the email "envelope" (a technical term) against the SPF metadata.  By doing so, it can see whether the email appears to have been initiated by an email server that is authorized to send email on behalf of the domain.  Instead of, worst case, being sent by some devious/unauthorized email server hosted elsewhere.

DKIM (often referred to as email signing) allows emails to be encrypted in-transit in a manner that makes it difficult for attackers to forge or alter.  DKIM grew out of necessity, preventing a wide range of man-in-the-middle (MITM) attacks, amongst others.

DMARC answers an obvious "what if" question, that SPF and DKIM don't.  What if an email fails SPF and DKIM checks?  What should be done with the email?  How should the recipient treat it?  By using DMARC, the legitimate owner of the sending domain can specify that problematic messages should be automatically sorted to "junk" or blocked entirely.

With SPF, DKIM, and DMARC working in concert, it has gotten dramatically harder for phishing attacks to falsely claim that they are legitimate messages from a domain name of a company that you know and trust.

2. Address Presence in Malicious Activity Lists

One of the best defenses against phishing emails relies on the cooperation that has allowed many willing parties to contribute to malicious activity lists.  Specifically, by contributing email addresses of known-senders of phishing emails.  These databases of malicious activity senders have proven to be invaluable in determining if a particular email is being sent from an email address that has been reported as being a fraudulent or malicious sender.  Your mental alarm bells should ring at high volume if an email sender's address is present on a malicious activity list.

Of course, few of us have an appetite for manually checking inbound messages for a sender that is present on these lists, so automated systems have been developed to check this for us.  More in the Wrap-Up section, on how to get access to one of the best such tools (Mail Armor by Havoc Shield).

3. References to Sender in Search/Social Results

Suppose you received an email that you found to be suspicious.  And suppose that on all major search engines and social media sites, there were zero occasions in which that email address had been used publicly.  Suspicious, right?

Definitely suspicious.

With how interconnected our world has become, it should take you by surprise if someone claiming to be a legitimate representative of a particular organization, has never had their email address used in any publicly visible way before.  While it's not impossible, it's unlikely.

Again, it's unrealistic (and very tedious) to manually check for the sender's email address in these publicly visible places, so you'll want automated tools to help.  Again, hang in there for the "Wrap-Up" at the end of this post for an actionable/easy solution.

4. Disposable Email Detection

Normal, well-intentioned people generally want email addresses that have an enduring characteristic to them.  Our bet is that if you've registered an email address with GMail, O365, or elsewhere, that your intention is to have that email address for a LONG time.  No one wants to move around to different email addresses frequently, it's a huge pain to transition all of the contacts and historic email content.

So, no one wants to move email addresses frequently, right?  Wrong.  Hackers love to.  They crave a near-unlimited supply of fresh email addresses, to move on to new addresses long before their old address lands in a malicious activity list.  What's a great way for hackers to get that fresh supply of reputationally new/clean email addresses?  By using a disposable email site that allows unlimited (or near-unlimited) free email box creation.

Recipients, beware when you see inbound emails from one of these well-known sites.  And use automated tools to guard against them (see the Wrap-Up).

Phishing Email Sender Domains - Hidden Factors

Popping out to the domain level, there are additional factors to consider, that augment the list of factors described so far.  With the following factors in consideration, you'll have a well-rounded view of the sender's validity.

5. Domain Existence

If you haven't spent much time looking at the innards of how emails are relayed across the internet, bear with me here, because this might sound odd to you.

What if the sender's email address isn't actually from a domain name that exists at all?

Yes, you heard that right.  Senders are inventing domain names out of thin air -- domain names that don't actually exist at all -- and using them as fraudulent cover for phishing email attacks.  Recipient beware.  Automated detection tools are the way to identify this when it happens, and to stay safe from this attack vector.

6. Domain Registration Age

If you received a suspicious-seeming email related to a financial transaction, and you came to learn that it was sent by a domain name that was registered 4 hours ago, what would you think of that?

Our bet is that you'd find it extraordinarily suspicious and that this new fact would probably be the nail in the coffin of you even thinking about trusting the contents of the email.  And your reaction would be a wise one, because very recently registered domains are one of the favorite tricks of attackers sending phishing emails.  They love to create new/fresh look-a-like domains and almost immediately put them into use.  By sending phishing emails from a newly-registered domain, they hope that word hasn't yet gotten around that the new domain is a malicious/fraudulent one.

7. Domain Reputation

Lastly, there are centralized systems that help us gauge the sending domain name's reputation.  Has the domain gone from sending 0 emails ever, to sending 100,000 emails today?  Have emails from the sender's domain routinely been marked as "spam" by recipients?  Has the sender made other suspicious-looking changes to their configuration?  Domain reputation mechanisms can help catch domains in a systematic way.  And that's highly appreciated, by all of us just trying to focus on productivity without the distraction of phishing emails.

Wrapping Up

We hope these 7 Hidden Ways that Phishing Emails Reveal Themselves have enriched your understanding of how it is possible to stay safe from attackers. However, in practical terms it is difficult (impossible, really) to use these 7 techniques without having some automated tools on your side.  One of the best ways to enable your company to routinely use these techniques is to implement Mail Armor from Havoc Shield.  By using Mail Armor, you'll know that you are benefiting from these techniques without doing the heavy lifting yourself.

Interested in more articles about phishing?  Continue here:

Any additional suggestions for article topics about phishing?  Drop us a note in the comments section below!

Other posts