Quiz Answers - Can you Find the Malicious Email?

December 18th, 2013 by admin

Ready for the answers to our quiz?

Drumroll please...

Every single email is malicious EXCEPT for this one:

“eFax message from “4082459385″. 1 page(s). Caller-ID: 408-245-9385″  -  eFax

Yep, that eFax message is 100% legitimate!

Now let's discuss why

Silhouette of a man throwing a fishing line and hook towards the screen, in front of a laptop on an eBay page

Unless you are an eFax client and know what their notification emails look like, this quiz may have been very difficult.

However, even without ever using eFax, you can see that this email is merely a notification alerting the receiver that a fax has been received, and even lists the sender's phone number and number of pages in the fax. It does NOT implore the reader to respond quickly or act to prevent something from happening, which is a common thread in several of the other emails. This subject line includes specific information about a service rendered and does not demand immediate action from the reader.

How do we know the other emails are malicious?

Shipping and Postal Service

For the numerous shipping and postal service messages, we know from our previous article How to Identify a Malicious Email that shipping companies (Fedex, UPS, USPS, etc) will not send notification emails like this but will instead return the shipment to its original vendor and have them handle communication (Amazon, for instance), or advise the customer to log in to their account online with a tracking number. Because of this, the below email subject lines must be frauds:

“UPS parcel notification”  -  from UPS Inc.
“USPS Shipment Status NO#3355″  -  from FedEx Information

Also, where possible, a shipping company will include a description of the shipment and vendor in the email - if the subject line is vague and doesn't tell you anything about what is supposedly being shipped, it is most likely a fraud:

“Track your parcel”  -  from FedEx Information

The above subject line mentions nothing about the "parcel" being shipped. A legitimate subject line would read something like, "track your recent purchase of Kindle Paperwhite."

Finally, UPS and other shipping companies will never include an attachment in their notification emails. If you see any mention of an attachment (invoice copy, report, etc) such as the email below, beware!

“USPS Invoice copy NO#34253538″  -  USA Postal Service

Airline Purchase

This email from American Airlines looks harmless enough:

“Your order #NR4471 has been completed”  -  from American Airlines

Think again! American Airlines (and every other airline) will always include specifics of your booked travel in their subject line. Even if you did recently purchase a flight with American Airlines, a legitimate email would say something like "your 10/21/13 flight from Los Angeles to Dallas has been purchased." The above email only mentions a vague "order #NR4471" - most definitely a fraud!

Of course, if you haven't recently purchased a flight that's another great fraud indicator. :-)

Bank Statements

Masked criminal holding a cardboard sign that says 'http:\\Your.Bank' in front of a laptop

Be especially wary of emails from banks and other financial institutions.

The below email from Citibank looks harmless, but let's discuss why it's not:

“Merchant Statement”  -  Citibank

First, there is no specific information about the purported "statement." When a bank sends you a notification about a statement, it will either include specifics of that statement in the subject line, or say something like "your statement is ready." While the latter is not very specific, it at least makes sense that you would receive "your" personal statement from a bank you use. "Merchant statement" doesn't make much sense - are you a merchant? What kind of account is this statement for? What does "merchant statement" even mean? And why is there no mention of "you" or "your" to make this a more personalized message to you? Spam!

People you may know

This one is tricky:

“How are things?” –   from Barrey jewall

As our clients already know, Barrey Jewall is an engineering team lead here at MPA Networks. This looks like a harmless, friendly email from someone you may know and communicate with on a regular basis!

Notice however little details, such as the lack of capitalization of his last name. Why would this email be from "Barrey jewall and not Barrey Jewall? Most people will make sure their full name is set to display properly (meaning proper capitalization, we hope!) in the "from" field when they initially set up their email account. Improper capitalization (or lack of capitalization at all) is always an important detail to notice.

If you receive an email like this from someone you know, scroll your mouse over the name (without clicking) to view the actual email address associated with this name. If it is not the email address you associate with this person, delete immediately!

Posted in: Cyber and Data Security