Daily QuickTip – Anatomy of a phishing email


A S A P Mac & PC Services
503 255-2419

As happens often these days, I received an official-looking email today.

Phishing email

Phishing email

This one is a helpful warning – or at least appears to be

Subject: Watch for errors on Social Security statement

Then it helpfully offers to let me check my Social Security statement for errors.

Due to possible identity theft, your annual Social Security statement may contain errors.

Use the link below to review your annual Social Security statement:

And of course, the link (I’ve inserted typos (xyz), so it won’t actually go anywhere):
Review your annual Social Security statement

So, how do I know it’s fake? There are a few things to watch for.

1. This one isn’t even part of the email itself – it’s just fact.
Your bank, the social security administration, the IRS, Ebay, PayPal ; all of these are likely to appear in a phishing email. None of them will ever send an email to clients asking for account details, or asking you to “verify your security”, or anything along those lines.

2. The “To” address isn’t mine. It sometimes might read “undisclosed-recipients'”.

3. Often, you’ll see spelling or grammatical errors. While everyone is perfectly capable of sending emails with errors, they are usually less common in business communications. This particular ‘phishing’ email is anomalous – it does not contain spelling errors, serious grammatical flubs, or oddly phrased or stilted language that can often indicate a message composed by a non-English speaker.

4. The link in the email doesn’t actually go to a Social Security Administration server. You don’t have to visit the link to tell – just hover the mouse pointer over the link (point to it, but don’t click). Usually, you’ll see a box pop up that shows you where the link will go:

This is where the link actually goes. If you read closely, you'll see it's going to a server in Belgium. The SSA, I'm sure, doesn't host its websites overseas.

This is where the link actually goes. If you read closely, you'll see it's going to a server in Belgium. The SSA, I'd like to think, doesn't host its websites overseas.

Technical bits: If you look at that web site, you can tell where it goes by looking at the part between “http://” and the next slash – “/”. This is the “server” or “host” name. That’s the name of the computer that the web site lives on.

Here is the hostname:
statements.ssa.gov.reedasg.be

“statements.ssa.gov, if it were the entire hostname, would probably be legitimate (but see point #1 above – SSA doesn’t send these0.

But, it’s followed by more: reedasg.be. This is the “domain” in which the machine lives. It’s kind of like the city/statye/country in a street address.

statements.ssa.gov.reedasg.be translates like this. Let’s look at it backwards, starting with the “.be”.

In “be” (belgium), look for “reedasg” (a “second level” domain – similar to a state in a physical address). Once you get there, look for a 3rd-level domain (think “county” or “parish”) called .gov, then look for the city called “ssa”, then find the house called “statements”. So in essence, you have some dinky little machine somewhere masquerading as the social security severs (statements.ssa.gov).

Protect yourself
Again, the best thing you can do to protect yourself is to know that the IRS, SSA, banks, etc, never send these emails. Delete them. If you need to visit your bank or an official web site, type in the www.whatever.com address in the addressbar in your browser (Internet Explorer, Safari, Firefox, etc) yourself.

For further reading, see these articles and pages:
SS spoofed in scam(SC Magazine US)

Protect yourself from phishing (IRS)

Washington Mutual phishing scam (about.com)