Is this link safe? Human vs Machine Email Scanning Techniques
October 15, 2020
Phishing
Is this link safe? Given the volume of email that most of us receive every day, it's a question that seems to come up on a pretty frequent basis. Some people even think that they have "pattern detection" capabilities that preclude the need for any technological filtering/scanning.
Here we'll explore what parts of the "is this link safe?" question can be scrutinized by a savvy visual inspection, versus what parts of the inspection are better done by a machine (well, an algorithm).
Is This Link Safe? The Human-Powered Version
There are a number of easy best practices that are great for filtering out novice-level phishing scams and other unsafe emails. Including:
Is this a sender that I know and trust?
Is there a reasonable, plausible explanation for why this sender would be communicating with me at this time?
Does the formatting of the email resemble what I'm familiar with from this sender's previous communications?
Is this sender communicating from the email address that I'm accustomed to hearing from him/her on?
When I hover over the link(s) in the email, are the targets (URLs) on websites that I know and am familiar with?
These are all reasonable, time-efficient judgement calls that assist (but don't fully cover) the need for scrutinizing the validity of the email.
Is This Link Safe? The Machine-Powered Version
There are also a number of areas where the we're better off leaning on smart algorithms to research and evaluate aspects of the email that are difficult to inspect manually. Here's a sampling of those areas:
Sender
DKIM, SPF, and DMARC enforcement status
Address presence in spam and malicious activity blacklists
References to sender address in search results and registered to social media sites
Free and disposable email service provider status
Sender Domain Name
Domain existence (defeats fake domain senders)
Age of domain registration
Domain reputation
Link Targets
Existence of phishing content at linked website
Viruses, malware, trojans, ransomware, spyware presence at linked website
Contents inside linked compressed archives like .zip and .gz files.
Attachments
Existence of viruses, malware, trojans, ransomware, and spyware
Contents inside linked compressed attachments like .zip and .gz files.
Many of these are possible to verify manually without the help of automated software, but the time burden would be impractical. For example, you could certainly use the diagnostic tool "whois" to inspect domain name registration age, but I think you'd tire quickly of having to do that manually for every suspicious email.
Wrapping Up
The real way to come out ahead when you find yourself asking "Is this link safe?" is to use human intuition in combination with well-placed use of protective technology. One easy way to achieve all of the automated checks described in this article, is to try out Mail Armor, an easy service for getting a second opinion on any email you receive that seems suspicious: