How to tell if an email is fake

June 8, 2018

You know what a SPAM email is. You probably know what a PHISH email is to. But just in case, a PHISH email is an email that tries to look like it’s from a company in order to trick you into giving either giving them your password, or to install malware on your computer or device. The people that send these PHISH emails are often pretty good at making them look real. However, if you know what to look for, you can pick up the clues that an email might be fake.

Let’s start with an example email that I received. I got an email that said it was from “iCloud Client”. The subject of the email was “[Alert] Reminder: We have prevented an unusual activity on May 2018”

There are several little clues here that something isn’t right:

  1. It says both alert and reminder. Is usually one or the other, not both.
  2. The date give is just a month and year, not an exact date. These people often use vague information.
  3. Although iCloud is certainly something real, iCloud client doesn’t really make sense.

On their own, these little clues are not enough to convict an email of being fake. Of course, the first thing you should think about is do I use iCloud? If not, then delete the email. If you do use iCloud, the safest thing to do at this point is to stop. Go to iCloud.com and check your account there. If everything seems OK there, then the email is probably a fake and you can delete it. If, however, you aren’t sure, the next step would be to open the email and look for more clues.

When I opened this particular email, I see that it is from “iCloud Client norply-accountupdates32@marlynwixky7.org

There is one minor clue here and also one major clue.

The minor clue is that most email servers use noreply, but in this case they used norply. Again, this is a minor clue.

The major clue here is the email address that follows iCloud Client. The part of the email account after the @ is @marlynwixky7.org. A legitimate email from Apple concerning iCloud would be from @icloud.com or @apple.com. This clue tells us with 100% certainty that this email is fake. But even if this major clue had not been there, I would have been fairly certain that this email was fake because there were several minor clues.

This particular email wasn’t as tricky as some of them. Many of them try to make it look more legit. In this case, they might have listed the from email address as support.apple.com@marlynwixky7.org. The first part makes it look like it’s from apple.com, but the only part that matters is what’s after the @. Another trick they often use is to do something like this: support@apple.com.marlynwixky7.org. If you look after the @ it looks like it’s from apple.com at first. But it’s not. It’s from marlynwixky7.org.

In this case, the email itself was blank but had an attachment. You already know this, but I feel obligated to say it. Never open the attachment to an email unless you are 100% sure the email is legit. If there is even one minor clue that an email may not be real, don’t open the attachment.

Really good scammers can make an email look, at least on the surface, that the email is from support@apple.com (or whatever). In this case, if there are minor clues that an email is fake, the next step would be to look at the email headers. Email headers are parts of an email that you normally don’t view. It’s overhead information most people don’t want to see and so it’s normally not shown. When you look at the headers, it will tell you the exact name of the server the email came from. If that server’s name doesn’t end with apple.com (in this example), then it’s not from apple.com and it’s fake.

How you actually view the email headers depends on what email service you use and how you access your email. If you use Gmail and read your email by going to gmail.com, then when you are viewing an email, there is a small down arrow near where it lists who the email is from. Click on that small arrow and it will show you the headers. Gmail actually displays the headers in a very nice way that’s easy to read. But some of them don’t format the headers and it can be overwhelming. If you are on one of those, look for Mailed By and see what server is listed there.

We don’t have room to list how to access the mail headers for every email service. If you can’t figure it out and can’t find the answer on Google, email us and we’ll tell you.

If you don’t want to mess with looking at headers, here are some basic rules to follow when reading email:

  1. Never click an link inside an email, even if you think it’s legit. Instead, manually go the company website in question, login, and do what you need to do. It’s not as convenient, but it’s safer.
  2. Don’t open an email attachment unless you are 100% sure it’s legit. If there is even one minor clue that the email isn’t legit, don’t open it. Even if it’s from a friend of yours. Their email could have been hacked.
  3. Be suspicious of every email you receive.
  4. If you aren’t sure if an email is legit or not, treat it as if it is fake.

Sorry this was so long and I hope it wasn’t too technical.
If you have any questions, please reply to this email and let us know.

Leave a Reply