We commonly get questions about if an email is real or fake (Spam, Phishing, etc). Here are some ways to identify an email you should delete.
- Note the sender address in the From field. If this was really from someone at PSU, the address would end with psu.edu. If an email's From address is anything other than the organization it claims to be from, it's probably fake. In this example, ending with .au means this was sent from somewhere in Australia. You'll often see addresses ending in .jp (Japan), .cn (China), .nz (New Zealand), .ru (Russia) or our favorite .ng (Nigeria). An email's From ending in these kinds of country codes claiming to be Penn State, or Amazon, or anyone else is a clear fake.
- Note the To address says Undisclosed Recipients. This indicates the email was a blind mass list. If the email is about an account issue, it should have your email address listed in the To field, so if it does not, or if you see a whole string of addresses, it's probably a fake. No reputable company will send a mass email alerting you to an account issue. Mass emails can be entirely legitamate in other cases (University wide announcements), so always consider all points of the email when evaluating it's validity.
- Note the address in the link you are asked to click. Google docs? I don't think so. In many cases an email link will not be so glaringly fake however as it's linked text. In that case, move your mouse over the link (DO NOT CLICK IT) and note in the lower corner of your email application or in a popup at the cursor the address the link points to. Any time a link goes somewhere other than the company in question (much like the From field in point 1) it's probably a fake.
- Look for other things that are out of place, like broken English or unusual terms. In our example, the English seems fine, but look at the signature for Penn State. What's that Aus about? Well that goes back to Australia again per the From address, so it seems our phisher doesn't know PSU doesn't have a branch campus in Australia.
While this example is very obviously a fake, others are much more well crafted. The From field for example might not show the email address, but again if you mouse over it you should be able to get the information. Different email clienst will show mouse over infomation in different places. Put the mouse over a link or name in a header, and you should see either a little pop up with the address, or it might show up down in the lower corner of the program in the status bar. Sometimes that is forged however, so don't rely on just one item to decide if an email is valid or not, check everything. If any one thing seems odd or out of place, it's probably a fake.
- Check the To and From addresses as mentioned above
- Read the email language carefully. If the english seems rough or poorly worded, that's a warning sign
- Any email asking you to reply with any personal or account information is fake
- If an email asks you to click a link, check what the address of that link is. Look for seeming double addresses like http://some.thing.odd.jp/email.psu.edu/login as that's a clear fake. Don't gloss over the first part, read carefully!
- Any email that simply says something like "See attached" with no other information other than the attachment is probably a fake. Do NOT open suspect attachments as they are usually a virus triggerd by opening them. (This means you should take care to not send emails that look like a fake by doing this yourself! Say something in your email about the purpose of the message and attachment so people don't just throw it away.)
- Email programs have an option to show all headers, view internet headers, or something of the like. While these can be hard to read, they contain valuable information for identifying fake emails. There will be a list of Recieved, the first (usually at the bottom) of which should indicate where it actually came from, regardless of a faked From address. In our above example, this is the Received header that clearly shows it was not sent from Penn State:
- If an email is talking about an account you don't even have (but I've never played Diablo III...) then it's a fake. Don't try to clear up a mistake, they are just phishing.