Part of my job at work is investigating and responding to phishing emails within the organization. So here's a few tips and tricks to help identify them and stay safe. *Email was made for educational purposes.

First thing first, you see a notification like this and you start to freak out

​

https://preview.redd.it/pyrtuvik0yv61.png?width=360&format=png&auto=webp&s=fa7c19ec8dd075ce2b6a51d51b1a57c409fe5076

Upon clicking the notification you see this email:

​

https://preview.redd.it/axbzhbpl0yv61.png?width=703&format=png&auto=webp&s=b0d2d734e8d7acb6312f85bd264a51602049c673

The Most Effective Phishing Emails are the ones that create a sense of urgency

Attackers pray on your emotions, you see this email and start to freak out and click the link without even thinking.

Step 1.) Remain Calm, before you do anything actually analyze the email.

Step 2.) Check the sender, in the notification and the email above the name is 'Coinbase', attackers will also try to mimic emails similar to the legitimate one in this case its Support_Coinbase_no-reply and the domain is protonmail.com, but attackers may use domains similar to coinbase such as switching out the 'i' with a 'l' ex.) @Colnbase.com to make it more realistic (the site is currently for sale, so might realistically be a attack in the future). Also, when creating this email I noticed a lot of emails similar to this was already taken.

​

https://preview.redd.it/2tkwxaqu0yv61.png?width=777&format=png&auto=webp&s=f3779588e4bcadea775a61dea6d3281f03ec8a8e

The sender may also be spoofed and look like it came from a legitimate sender, for that we can check the headers, which I will cover later.

Step 3.) Language, often times phishing emails are rushed and loaded with spelling errors, in this email you can see account is spelled wrong, along with a missing apostrophe in didn't. And as stated they will try to rush you with a sense of urgency so look out for keywords such as 'urgent' / 'immediately'

​

https://preview.redd.it/lwjshw7y0yv61.png?width=540&format=png&auto=webp&s=0108a0c2053ee0bf9dee97601d8fb1368bc02abf

Step 4.) Links, generally i'd advise never clicking links in emails and just visiting the site through a bookmark you set or typing is in the address bar (searching through a search engine can have ads that lead to malicious sites above the legitimate one)

​

https://preview.redd.it/q5csmk811yv61.png?width=323&format=png&auto=webp&s=0a34503645200d7f0942737d7ce9256e02b10864

For this you can hover your mouse over the link to see the link is actually to reddit and not Coinbase Support, but this could of lead to a phishing site where you enter your credentials to Coinbase, and if you don't have 2FA activated they now have the ability to login.

You can also right click and hit 'Copy Link Address' and use a tool such as https://urlscan.io/ to scan URLs to see where it goes (make sure to change it to private search incase it contains personal info) or check the url against site such as https://transparencyreport.google.com/safe-browsing/search, http://phishtank.org/index.php, or https://www.virustotal.com/gui/ to see if its known.

​

Headers:

First, to find out how to get the headers for your mail service: https://mxtoolbox.com/Public/Content/EmailHeaders/

after getting the headers for the email you can paste it in the analyze headers section (For analyzing headers I use: https://mxtoolbox.com/EmailHeaders.aspx)

What I generally look at is:

• smtp.mailfrom
• Return-Path
• From:
• Reply-to/Bounces-to

which should all line up with the the legitimate sender / company.

Quick Protections:

• Have a email dedicated to crypto, you can check your email in https://haveibeenpwned.com/ to see your email has been part of any breaches (Any passwords to those breached sites, assume they have been compromised and change them)
• Some sites have a option to set a Anti-phish code, where they display a code that you set that is then displayed in all legitimate emails from that site.