Anatomy of an Email
Training Video Transcript
Slide 1
The following is a training and awareness video provided by the Executive Office of Technology Services and Security.
Anatomy of an Email. Spotting the Red Flags of Social Engineering.
Slide 2 - Introduction
Today we’ll be looking in detail at the individual components that make up an email. By better understanding the anatomy of an email, we can train ourselves to spot potentially malicious or dangerous messages and protect both ourselves and the Commonwealth.
You might recognize the message on your screen. This message was sent out randomly across the Executive Branch as part of EOTSS’s simulated phishing program. We send these messages out to gain valuable insight into the cyber hygiene of our userbase.
Let’s begin by analyzing the anatomy of the message on our screen.
Slide 3 – Outside Sender Warning
Of immediate note is the outside sender warning above the body of the email. This lets us know that the sender of this message is not a coworker, colleague, or a part of our organization, and is from an external source.
Though not a sign danger in and of itself, the majority of malicious messages a user might encounter do come from an external sender. Be sure to treat any messages from external senders with vigilance.
Slide 4 – ‘From’ and ‘Subject’ Line
Now that we’ve done our initial due diligence and know this messages comes from a sender outside of the Commonwealth, let’s move on to take a look at other components of this message.
We’ll start start with the from field and then move on to the subject line. When looking at the from field, we can immediately notice two potentially red flags – if we take the time to see them.
The sender’s name is “Human Resource”. Though not an indicator of malicious intent on its own, the name of sender should be grammatically correct and “Human Resources” is traditionally the terminology used.
If we look at the sender’s email address, we’ll find a dummy address. As Employee’s of the Commonwealth, we know that our official website is mass.gov, not govmass.com
Slide 5 – ‘From’ and ‘Subject’ Line, cont.
Next, we’ll focus on the ‘subject’ field. One of the most common social engineering tactics utilized by bad actors is an artificial ‘sense of urgency, consequence, or reward’. Spammers want you to act first and think later. If the message conveys a sense of urgency or uses high-pressure tactics or rewards or too good to be true incentives be skeptical. Never let the urgency of a potential scammer influence your careful review.
In this example, we can see that the subject line contains a demand for immediate action in all capital letters. Just like most of our other social engineering indicators, this subject line alone is probably not enough to indicate that this message is definitely dangerous. But again, when combined with the various other pieces of evidence we have or will discover, there is a good likelihood that this message could be illegitimate.
Slide 6 – Review and Signature
Before moving on to the signature field, let’s take a brief moment to take stock.
Using our most fundamental skills, we can tell that not only does this message come from outside of the Commonwealth but that it comes from someone attempting to impersonate our official domain. In addition, the sender is potentially utilizing the social engineering tactic of creating a false sense of urgency, consequence, or reward.
Taken together, these are strong indicators that this could be a message with malicious intent. Let’s move on to the signature of this email to discover even more red flags that something about this message is phishy.
Slide 7 – Signature, cont.
Highlighted below is the signature of the message which contains additional clues letting us know this message is fraudulent, especially in combination with what we learned from the from field, the subject line, and the outside sender warning.
Though it might seem silly, if you ever find yourself questioning the authenticity of an email you’ve received stop, take a break and ask yourself the simple question… do I know this person? It seems obvious but we can spot many phishing emails by simply realizing the message comes from a person we have never heard of. This message is a perfect example. Have we ever met or heard of a Chris Hernandez in HR? Chris from HR might certainly be real but when combined with the other pieces of evidence we’ve collected, this serves as another potential red flag. Moving on to the remainder of the signature only serves to strengthen our suspicions.
This individual’s title is listed as “HR Bonus and Incentive Coordinator”. Just like the name we looked at earlier, if this title indicates a position and/or employee benefit you have never heard of there is a good chance it could be another red flag.
Finally, look at the website domain include in the sender’s signature we yet again see ‘govmass.com’, the same bogus domain used in the from field.
Slide 8 – Email Body
Next we’ll move on to the body of the email, focusing specifically on grammar, presentation, and professionalism.
In modern work, email is by and large the primary medium by which working professionals communicate and publicly present themselves. Therefore, one of the easiest to spot red flags of a potentially illegitimate message is obvious or egregious grammatical errors, unusual syntax, or unprofessionalism language, demeanor, or demands.
In addition to the aforementioned ‘human resource’ name in the from field, there at least four additional grammatical errors in the body of this message. Though we won’t break each of them down individually, a quick review of this message reveals numerous obvious grammatical issues. Taken by itself, this could potentially just be an indicator of carelessness but when viewed holistically these grammar issues serve as another red flag.
Slide 9 – Hyperlinks and Mouse Hover
Finally, let’s move on to the inspection of hyperlinks. One of the most import tools remaining in our kit.
Hyperlinks, or just links, are lines of text that direct users to a destination – usually to a specific file or a web URL. The text you actually see, probably most often encountered in computing as ‘click here’ links, is what’s referred to as anchor text.
Slide 10 – Hyperlinks and Mouse Hover, cont.
Here’s an example of a hyperlink and anchor text from Google.
In this example, the anchor text is “Nike. Just Do It.” The anchor text is currently hiding the actually link from us.
If we move our mouse cursor to hover over the hyperlink, we will see the URL hidden behind the anchor text.
We can do the same thing with links in our email inbox. Let’s give it a shot with the example we’ve been reviewing.
Slide 11 – Mouse Hover, cont.
As you can see highlighted on your screen, our example message contains a hyperlink. The word “here” specifically is hyperlinked and serves as the anchor text.
Slide 12 – Mouse Hover, cont.
Based on the text of this email, the sender wants us to think that clicking this hyperlink will provide us access to a performance review and financial bonus.
If this message is legitimately regarding a performance review for Commonwealth employees, it’s probably safe to assume that the highlighted hyperlink should direct to mass.gov or at a website affiliated with or adjacent to mass.gov. Let’s use the mouse hover technique we just learned to see where this hyperlink actually points to.
Hovering our mouse over the hyperlink reveals the actual destination link to us and reveals that it does not point to an official Commonwealth website and instead points to what is clearly a spammer’s website. Knowing what we know now, under no circumstances should a link like this be clicked.
Slide 13 – Review
Let’s wrap up with a quick review.
Slide 14 – Review, cont.
When dealing with a suspect message, be sure to follow the following steps.
Slide 15 – End
This has been a training and awareness video provided by the Executive Office of Technology Services and Security.