Understanding how to Identify Phishing Emails

Understanding Email Authentication

Phishing emails can be a major problem for schools and businesses, with increasingly sophisticated techniques being used to trick people into disclosing their personal details, transferring money, or opening up access to sensitive data and systems. While most people are aware that phishing exists, it’s often decidedly difficult to determine whether a given email is actually legitimate.

While most phishing emails have relatively obvious tells – poor spelling/ grammar, outdated imagery, erroneous addresses and such, many emails appear, on the surface, to be indistinguishable from legitimate mail, particularly in the case of targeted mail (spearphishing).

However, there’s a few technical factors that can help you identify phishing emails (although, in some cases, particularly sophisticated mail can be designed to fool these). In this post, we’re taking a look at three major authentication protocols designed to help combat phishing and spam mail – SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance).

As an Exa customer, if you’d like more in-depth guidance and advice concerning phishing, don’t hesitate to contact our support team (or our newly established customer relationship team) at 0345 145 1234!

Sender Policy Framework

In many cases, it’s possible to identify phishing emails based on the address that they come from – Amazon wouldn’t contact someone using a Gmail address, for instance. However, the displayed address isn’t a guarantee that an email is necessarily from the person it appears to be from.

When sent, emails contain information specifying where the email has actually been sent from (an mfrom), which includes various technical details. This is typically hidden with most mail clients. Instead, clients display a secondary From: address.

It’s possible for spammers to fake both of these details. However, a Sender Policy Framework gives domain holders an effective option to add an extra level of certainty to the details. Essentially, SPF records (recorded in DNS settings), let domain holders specify which IP addresses may be used to send email addressed from their domains – mail clients can subsequently block mail that fails this authentication.

However, in these cases, spammers can still spoof the From: address, creating a potential issue. It’s worth being aware of SPF, but it’s not necessarily a silver bullet to stop phishing.

Domain Keys Identified Mail

A high-tech system for ensuring that emails are accurately sent and verified, DKIM encrypts the content of messages, converting the content of an email into a single text hash, then encrypting it using a private key, making the content undecipherable without a matching public key.

This key can be found via a DNS query run through the mail client, deciphering the DKIM message into a hash, which may be compared against the original, pre-encryption hash. If these match, the message can be determined to have come from a legitimate source, while also guaranteeing that the message has not been changed – the mail can then be read.

While hard to implement, DKIM can provide an additional level of certainty for users when in place – however, the From: address may still be spoofed in the first place, something to be aware of.

Domain-based Message Authentication, Reporting and Conformance

An effective modern standard to prevent phishing, DMARC incorporates both SPF and DKIM checks, before adding some additional checks. Put simply, DMARC requires that both the From: address and them from must match, removing an option often exploited by spammers.

If DMARC authentication is failed (or if the sender doesn’t implement DMARC for the From: address, domain holders can set up various policies for mail detailing how it should be filtered/ rejected. As such, DMARC allows people to make absolutely sure that mail they receive is from the sender it claims to be from, helping to add an additional level of security against phishing mails.