In this article we are going to focus on basic email analysis like analysing what we actually see after opening an email. Let's move furthur on this analysis and look for suspicious flags.
We are going to analyze this email which feels fishy at first glance
After staring it for a minute few things will definitely come across your mind like the reward of $90 for a survey and then the organization name which is Online Shopper which does not resembles any of the popular or known survey organizations. So after that it made it obvious for us look for more evidence. So let's look more closely.
Below image displays some headers like Subject, Sender Address, Reciever Address, Reply-to Address.
If you look this image you might see 2nd subject with "Re: " Before we move furthur let me give you the context of what it actually means. So Re is used when you are replying to any messsage on already established conversation to make it look more trustworthy. We can also notice that there is no space after "Re:" which is not common when service like Gamil and Outlook automatically add when you click reply button. But here clearly it is social engineering trick cause that email does't look like any reply and might be used to increase the open rates, bypass suspicon.
If we move to other headers we can see three different address one is of course our email address/ Reciever's address. But the other two are Sender's address and Reply to adress which is pretty interesting to use two different emails for sending the mail and getting reply to another and then using "Re: " to show an established conversation.
Also the adresses used as sender's address and reply to address seems suspicious as its domain name is "protmanch.com" which does not seems like any trusted domain or even the organization domain and then comes the user name "nojiy" which seems completely random for official emails.
Now let's come to the body of this email.
Entire body of this email is a single image that has embedded text and url which could be able to bypass spam filters avoid text scanning and easily hide malicious wordings from detection systems.
If you hover over the "Start Now" button you will see this url in bottom left of your screen.
From looking at the URL you can say that this is shortened to hide the actual url which is not common for legit organizations to do.
Now let's brekdown the psychological aspect of this email which is really important since its social engineering attack which directly target the human psychology.
We can see Notice in Big and Bold letters to catch your attention then as a notice we see "Last day to claim your exclusive reward". Focusing on Last day sets the sense of urgency to claim this reward since you've got limited time and Exclusive deal to make sure you feel special and reward is only available to you.
Next we see and invitation to take part in a survey and to lure you more you will get reward worth over $90 and more which is pretty insane if you compare it to what it asked you to do a survey. Too big of a reward for simply doable task classis phishing tactic.
We can also see small unsubscribe note and we can also see a physical address "6130 W Flamingo Rd Las Vegas, NV 89103". If you are regular in analysis and face multiple phishing emails this address might click your memory. This is a pretty commonly used address in phishing emails. A lot of spam mails and auto-generated mails contain this physical address.
What we noticed so far:-
- Suspicious sender address
- Different "Reply-To" address
- Fake "Re:" subject trick
- Missing spacing in subject
- Artificial urgency
- Generic branding "Online Shopper"
- Image-heavy email
- Shortened URL
- Unrealistic reward promise
- Suspicious physical address
- Tiny unsubscribe text
If we summarize everything we noticed and sum up the evidence it's pretty much obvious that this is a phishing email.