Phishing: How to Spot a Fraudulent Email

Example of a Phishing Email

Below is an email that appears completely legitimate. It asks a user to take a mandatory anti-spam test before a certain date. It is sent with the logo of a reputable company, uses familiar formatting, and its purpose seems justified. Other seemingly reasonable motives may be invoked, such as suspension of service due to unpaid invoices or (one of our favorites!) an intrusion alert on one of your accounts followed by a request to log in for verification to avoid account suspension.

Let’s take the didactic example above to analyze its content. Several signs clearly indicate a phishing attempt:

1. A typo in the title or the body of the text, which is poorly written;
2. The sender is identified as “OVH”, but upon closer inspection, the sender’s email address is rather strange, with a domain name ending in ‘@ublifow.net’. This attempt is quite crude, but often the sender address is extremely similar to a legitimate domain—one letter off, a ‘.net’ instead of a ‘.fr’, etc.;
3. The reply-to email address also uses a suspicious domain name: ‘@ov-h.net’;
4. The greeting is addressed not to your name or first name, but to an email address. Similarly, greetings that are overly generic can raise suspicion;
5. The text in the body of the email contains strange syntax or appears poorly translated;
6. The message urges you to act quickly and/or highlights negative consequences if you do not. The goal is to pressure you so you overlook other warning signs;
7. The redirect link in the email may look legitimate, but if you hover your cursor over it, the real redirect URL will appear, and not only will it be different, but it will often look highly suspicious;
8. This is not the case in this email, but if it contains an attachment, never open it—especially if the attachment’s title piques your curiosity. That is intentional and likely indicates malware.

Another situation requiring vigilance is when the sender uses the “sent as” function. This allows an email to appear as if it comes from a legitimate address, such as ‘@amadeus.com’ shown in red below.

The real sender’s email is the one shown in green on the right. In this example it is clearly visible, but sometimes you need to hover your mouse over the email—WITHOUT clicking—to reveal the true sender.

Finally, other common-sense rules apply. For example, if you are not typically the recipient of this type of email, or if the message requests unusual or critical actions, you should be cautious. When in doubt, ask your colleagues or your IT manager.

Example of a Fake Phishing Website

If you have nonetheless clicked such a link, you will likely land on a page that looks just like a legitimate website. Criminals copy the layout down to the smallest details. However, if you take a closer look at the example below—which recently appeared in the press—you will notice that the URL (website address) is not that of the government, since the ‘.app’ sequence should not be there.

If you think it would have been difficult to notice, that means the fraud was well executed. Indeed, it is unlikely that most of us know the exact web address of the tax administration website by heart and could distinguish the real one from the fake. What should you do in such cases? If you are unsure, it is recommended to connect directly to the site (via a Google search or your bookmarks, for example) rather than clicking on the redirect link included in the email.