A Letter from the Easter Bunny – on Email Phishing and Other Spoofs
Consider the following scenario: You receive an email message from the HR department of a large international corporation inviting you to a job interview. The company is looking for a language professional with precisely your skill set. The offer sounds perfect, almost too good to be true. So, you look for the company online, the company URL (its address on the World Wide Web) matches the email address, and everything seems fine. Or is it? Read on to find out how you can tell whether an email is authentic or could be a scam.
Online scams have been steadily on the rise and seem to have multiplied during the pandemic. These scams have become more and more sophisticated. Lately, many scams involve impersonating a large, reputable company. In cybersecurity parlance, this impersonation is called spoofing. Closely related are phishing and smishing. Phishing is defined as “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” [Definition by Oxford Languages and Google.] Smishing is the same fraudulent practice accomplished via text messages.
Is it possible to tell who really sent a message? How can you tell where a link leads to? How can you do so on a mobile device? In the following I will address all these questions.
A Letter from the Easter Bunny
The picture above shows an actual, physical letter I recently sent to my own business address. If you look closely at the alleged sender’s address, marked with a red box, you will notice that the letter was apparently sent by none other than the Easter Bunny, from an entirely fictional address. I put it into the mailbox like any other outgoing mail. The US Postal Service delivered the letter despite the fake sender, because the recipient’s address is correct, and the postage was sufficient. USPS does not verify the sender’s address, unless you buy additional services such as insurance or a return receipt.
This picture here shows an email I also sent to myself, again with an entirely fake sender’s email address. In other words, I spoofed the URL “BigTranslationAgency.com.” I could’ve impersonated any other URL in the “from” field just as easily. This is possible because the “from” email address functions very similar to the sender’s address on a physical mail envelope. It is just a label. Just like with physical mail, as long as the recipient’s email address is correct, the email will be delivered.
How Can I Tell That an Email Is Spoofed?
If you look closely at the alleged letter from the Easter Bunny, you’ll notice the postmark from the US Postal Service that lists “Santa Barbara, CA” as the post office where the letter originated. Santa Barbara, California, USA, is not located on Easter Island, which is a part of Chile. Thus the postmark of the originating post office is a giveaway that this letter was not, in fact, sent by the Easter Bunny from Easter Island.
Similarly, if you are looking at an email on a desktop device, you can expand the email header to view more information. In my email program, the command would be View > Headers > All (instead of “Normal”). That expands the header to show the first relaying server, which you can think of as the online analog of the postmark of the originating post office. The picture below shows the expanded header of the fake email shown above. You can see that the “Message ID” does not match the “From” address. (The domain corp.parking.ru is the service I used for sending the fake email to myself. This service is entirely legitimate.) This mismatch generally suffices to show that the email is fake. In this article in The ATA Chronicle, I explain further how to decipher the rest of the email header.
On mobile devices, unfortunately, there is no option to expand the headers. Therefore, you’ll need to use another approach to determine whether an email is authentic or fake. This method, which I will describe next, will also work on desktops, if you don’t want to expand headers.
Alternative Methods for Determining Email Authenticity – Reply-To Addresses and Fake Links
The picture above shows a phishing email sent to me in my capacity as NCTA Webmaster. The scammers were trying to impersonate (spoof) GoDaddy, a reputable web hosting company. In this case I knew immediately that the message was fake, because NCTA does not currently use GoDaddy as an email service provider. But this message is a good example to illustrate the concepts in this section.
The Reply-To Address
All scammers expect a response, otherwise the scam cannot proceed. However, since the sender’s address is fake (spoofed), scammers usually provide another means to contact them. One option is the “reply-to” address. This is the email address that you reply to when you click on “Reply” in your email program. In most desktop email clients, this “reply-to” address is part of the standard header that is displayed. If it is not, you can change the settings such that the “reply-to” address is displayed. For details on how to accomplish this, please see the documentation for your specific email client. Thus, if you’re using a desktop computer, you can see at first glance whether the “reply-to” address is the same as the “from” address, or at least within the same domain (the portion of the address after the “@”).
On mobile devices, however, this is not so straightforward. Even when you hit “Reply,” the email address is not displayed if the “reply-to” field also contains a name/label. One alternative option to display the “reply-to” address is to tap “Forward” instead of “Reply.” If you have set your email program to forward messages inline, the standard header including “from” and “reply-to” addresses is then displayed in the draft message. When I do this with the aforementioned message impersonating GoDaddy, I get the following result:
The email is obviously fake, because GoDaddy does not send emails from phil firstname.lastname@example.org.
Other phishing (and smishing) messages include a fake link that the recipient is supposed to click. In these cases, the actual link leads to a fake website, not to the link that the link text displays. In other words, the actual link and the displayed link text do not coincide. On a desktop device, an easy way to display the actual URL (Internet address) that a link leads to is to hover over the link text with the mouse. Your email client will then display the actual target link, usually at the bottom of the email client (your email client may differ). Hovering with the mouse over the fake GoDaddy message displays the following:
Note the link at the bottom, which is obviously not a GoDaddy URL.
On mobile devices, this again leads to a problem, because you don’t have a mouse to hover over links with. On a mobile device, you can press and hold your finger over the link or button until the link is surrounded by a bubble shape, as in the picture below, and a popup appears. Shown is again the same fake GoDaddy message URL. The precise menu items and display options that appear will depend on your mobile Operating System and device, but whatever you do, do not click on “Open Link”! Make sure to press and hold, not accidentally tap the link. This press and hold process also works with text messages (smishing).
Spoofing, phishing, and smishing attacks are on the rise. Above, I have shown you how to verify the authenticity of emails and text messages without being a highly skilled cybersecurity expert. For further reading, I recommend my previous articles on the topic of scams that have appeared in Translorial: Cautionary Tales for Interpreters and Translators — An Overview of Scams Targeting the Language Industry (co-authored with Peg Flynn) and The ATA Chronicle: Translation Scams: Avoiding Them and Protecting Your Identity, Translation Scams Reloaded, and New Twists on Old Scams: Language Professionals Beware!
The domain corp.parking.ru and GoDaddy are reputable service providers that appear merely as illustrative examples. These examples are not meant and should not be construed as reflecting negatively on either service.