Skip to Content

How To Detect Phishing Messages

Phishing messages are generally recognizable by a tiny bit of sleuthing. We explain how to do it.
Table of Contents

    Why are people sending me Phishing messages?

    Your usernames and passwords have value. The value of banking credentials is obvious: they want your money. The value of other credentials, such as your UTORid, your Facebook identity or others, rests in the ability to gain access to resources that would otherwise be prohibited. There is a market in UTORid credentials for the purpose, amongst others, of accessing library materials. Access to your Facebook page gives people power over your reputation.

    PCS Policies about Passwords

    PCS members will not ask for your password via email, except after exhausting other options and only after having conversed with you about the issue ahead of time. You absolutely will not receive an out-of-the-blue request for your password. If you have specifically requested that we send a password, we may, after due consideration of the security implications, and after attempting to find another alternative, send a password through email.

    If, by the time that you receive your password via email, you are not at least a bit pissed off with members of PCS trying to convince you that it is a bad idea, something is terribly wrong. (Actually, something is already wrong: we sent you the password by email.)

    Detection Steps

    Initial Checks

    1. Is this message part of an ongoing conversation with the sending party? The fact that the note comes from out of the blue should always be a big red flag if it is requesting security-related information.
    2. Are you explicitly named in the recipient list? (For example, you may see undisclosed recipients in the To: header field.) If you are not explicitly mentioned, is there an obvious good reason for that fact. Any genuine correspondent with need of security information ought to have a relationship with you that includes knowledge of your name and should not have need the cover of undisclosed recipients.
    3. Does the sender information look consistent and reasonable? Why would "Debra Smith" be sending from an email address of a3423876sg@hotmail.com?
    4. Is it offering you something for free? There is something about the word free (as in no cost) that turns the human brain into mush. Don't go there. If it doesn't cost something to you, then you are the product being sold to someone else.
    5. Are they asking you to run a program or unzip a zip archive? Very few emails have good cause to be accompanied by programs. Do not open it unless you know:
      1. Who the sender is,
      2. What the program is for -- not just what the sender says it is for,
      3. That the program is an expected delivery or a natural part of an ongoing correspondence.
    6. Does the message address itself to you personally in a way that displays knowledge beyond your name? It is easy to say "Hi John!". It is much harder to refer to:
      • your specific job role,
      • the outstanding service issue that you have with {PCS, Rogers, Bell, ...},

    Looking Under the Hood

    The best way to check for phishing activity is to look at the raw message. How one does this is dependent on the mail reader that you are using and we cannot address them all. We officially support Mozilla Thunderbird and the Physics Webmail systems; so we will provide specific instructions for both. Apple Mail and Microsoft Outlook will be discussed because they are also common in the local environment.

    If you are already looking at a message, you can do the following to look at the raw text behind it:

    Mozilla Thunderbird
    Hold down the Control key and U (Ctrl + U)

    Physics Webmail
    Go to the bottom of the message area and click on the Message Source link.

    Apple Mail
    Cmd + Option + U

    At this point you should be looking at the raw text behind the message, the beginning of which should resemble the following:

    Return-Path: <bulletin@utoronto.ca>
    X-Original-To: bworth@physics.utoronto.ca
    Delivered-To: bworth@physics.utoronto.ca
    Received: by helios.physics.utoronto.ca (Postfix, from userid 57)
    id DA0954C2C8; Tue, 22 Nov 2011 03:15:25 -0500 (EST)
    Received: from bureau4.utcc.utoronto.ca (bureau4.utcc.utoronto.ca [128.100.132.14])
    by helios.physics.utoronto.ca (Postfix) with ESMTP id 0F9434C2C8
    for <bworth@physics.utoronto.ca>; Tue, 22 Nov 2011 03:15:25 -0500 (EST)
    Received: from dws-prod.dua.utoronto.ca ([142.150.60.34]:2370 "EHLO
    utoronto.ca" rhost-flags-OK-OK-OK-FAIL) by bureau4.utcc.utoronto.ca
    with ESMTP id S760660Ab1KVHJU (ORCPT
    <rfc822;bworth@physics.utoronto.ca>); Tue, 22 Nov 2011 02:09:20 -0500
    Reply-To: bulletin@utoronto.ca
    From: "bulletin@utoronto.ca" <bulletin@utoronto.ca>
    To: "Steven T. Butterworth" <bworth@physics.utoronto.ca>
    Message-ID: <08293955da0746bfaf040cb5db5b999e@utoronto.ca>
    Date: Tue, 22 Nov 2011 02:09:20 -0500
    Subject: Bulletin | Remembering Dr. Fraser Mustard

    While all of the fields can be useful, the one that is least vulnerable to forging is the Received field, of which there will be at least one, but could be more. The most important one is the last, which is actually the first one written in its travels. Notice that in the message above, that the message originated from from dws-prod.dua.utoronto.ca ([142.150.60.34]:2370. For a message that purports to come from the University of Toronto, that makes sense.

    Analysis of Specific Phishing Message Samples

    A Message from The Physics Support Team

    The first message has serious tell-tales before we look under the hood:

    • message from generic account (webmaster@physics.utoronto.ca)
    • name is wrong and grabbed from a role account (but this could have been correct under other circumstances)
    • PCS never refers to itself as The Physics Support Team

    However, the decisive data is visible as soon as we look at the raw source:

    Return-Path: <webmaster@physics.utoronto.ca>
    X-Original-To: sales@physics.utoronto.ca
    Delivered-To: root@physics.utoronto.ca
    Received: by helios-store.physics.utoronto.ca (Postfix, from userid 57)
    id E16F49A2F3; Tue, 14 Jun 2005 04:56:16 -0400 (EDT)
    Received: from physics.utoronto.ca (ip248.flip1.remote.ne.jp [206.3.23.248])
    by helios-store.physics.utoronto.ca (Postfix) with ESMTP id 796E49A2CC
    for <sales@physics.utoronto.ca>; Tue, 14 Jun 2005 04:56:12 -0400 (EDT)
    From: webmaster@physics.utoronto.ca
    To: sales@physics.utoronto.ca
    Subject: YOUR PASSWORD HAS BEEN SUCCESSFULLY UPDATED
    Date: Tue, 14 Jun 2005 17:51:48 +0900
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="----=_NextPart_000_0007_C20CD243.5A56F885"
    X-Priority: 3
    X-MSMail-Priority: Normal
    Message-Id: <20050614085612.796E49A2CC@helios-store.physics.utoronto.ca>
    X-Bogosity: Unsure, tests=bogofilter, spamicity=0.500064, version=0.92.4

    This is a multi-part message in MIME format.

    ------=_NextPart_000_0007_C20CD243.5A56F885
    Content-Type: text/html;
    charset="ISO-8859-1"
    Content-Transfer-Encoding: 7bit

    <html>
    <body>
    <BR><STRONG>Dear user sales, </STRONG><BR>
    <BR>You have successfully updated the password of your Physics account.<BR>
    <BR>If you did not authorize this change or if you need assistance with your
     account, please contact Physics customer service at: webmaster@physics.utoronto.ca<BR>
    <BR>Thank you for using Physics!
    <BR>The Physics Support Team <BR>
    <BR><BR><BR><BR><BR>
    <BR>+++ Attachment: No Virus (Clean)
    <BR>+++ Physics Antivirus - www.physics.utoronto.ca
    </body>
    </html>

    ------=_NextPart_000_0007_C20CD243.5A56F885
    Content-Type: application/octet-stream;
    name="account-password.zip.txt"
    Content-Transfer-Encoding: base64
    Content-Disposition: attachment;
    filename="account-password.zip.txt"

    UEsDBAoAAAAAAHhGzjLK0cCUSXsAAEl7AABeAAAAYWNjb3VudC1wYXNzd29yZC50eHQgICAgICAg
    ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
    ICAgICAgLnBpZk1aS0VSTkVMMzIuRExMAABMb2FkTGlicmFyeUEAAAAAR2V0UHJvY0FkZHJlc3MA
    AFVwYWNrQnlEd2luZ0AAAABQRQAATAECAAAAAAAAAAAAAAAAAOAADwELAQAnAOAAAADwAAAAAAAA
    zHYCAAAQAAAA8AAAAABAAAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAADwAgAAAgAAAAAAAAIAAAAA
    ABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAACF5AgAoAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC5VcGFjawAAAPABAAAQAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAOAAAOAucnNyYwAAAADwAAAAAAIASXkAAAACAAAAAAAAAAAAAAAAAADg
    AADgTHlCAAcAAAAAAEIAAAAAAP////8BAAAAAQAAAAEAAAABAAAAAAQAAAAQQACbeEIA53hCAOp4
    QgD4eEIA03hCAHwHAADECwAA/A9AAD94QgBBeEIA4nZCAFvxQQD5AwAAHXlCAP/fQQAzeEIAAAAA

    The critical section is the second (chronologically first) Received record:

    Received: from physics.utoronto.ca (ip248.flip1.remote.ne.jp [206.3.23.248])
    by helios-store.physics.utoronto.ca (Postfix) with ESMTP id 796E49A2CC
    for <sales@physics.utoronto.ca>; Tue, 14 Jun 2005 04:56:12 -0400 (EDT)

    Notice that the sender is actually an address in Japan (ip248.flip1.remote.ne.jp). While it is not impossible for a legitimate message from the Physics Department to originate in Japan, it is highly unlikely, especially is you have seen the sender in the last 24 hours.