Deconstruction of a spam phishing email

Unwanted spam and phishing emails are very common these days. While most go straight into the junk folder some do get through. The NHS email system, one of the largest in the world, rejects around 10 million spam emails a day.

There are lots of sophisticated ways to inspect, understand and reject spam emails. Experts and automated systems inspect what are called the email headers. This is the computer code that is normally hidden from view that helps direct and deliver emails to the correct mailbox. This information is easily forged and often is by spam emails. Inspecting and fully understanding this information is best left to IT experts.

However, there are other simpler ways to inspect emails and provide yourself with some degree of reassurance that an email is fake.

We recently received an example of spam/phishing style email, shown in the screenshot below. This is more like spam than phishing, but an attempt at fraud none the less. The example below is not a terribly sophisticated email but gives a general example of what to look for.

 There are a number of things to be wary of. The general sparse nature of email with very little specific information. Particularly the lack of a car registration number and a fully defined location of the offence.

Using an online service such as EasyWhoIs you can view a subset of the information regarding who owns a domain name. There are many similar services available.  Viewing this information may give further insight as to whether the domain name is owned by a legitimate organisation. A lot of the information for domain name registration records is hidden for privacy reasons. Hence hindering you seeing a lot of useful information.

However the records for this particular domain show this:
Updated Date: 21-apr-2016
Creation Date: 21-apr-2016
Expiration Date: 21-apr-2018

As you can see the creation date is AFTER the date of the supposed parking offence. Not a totally impossible series of events to have occurred but when combined with the other factors it adds to the degree of uncertainty of the legitimacy of the email.

The use of an IP address in the web link, as opposed to a domain name, is very suspicious. There is simply no need to do this and any legitimate company would never do this.

When I hover my mouse of the URL link shown on screen the little pop-up window shows that the underlying link (the one I would be sent to had I clicked on the link) is different to the one shown on screen; for example Again this is very odd and something to be suspicious of.

So while this is a fairly crude example of a spam email you can see that combining a series of small bits of information can provide you with a reasonable amount reassurance that the email is unlikely to be genuine.

If you have any other examples of spam or further thoughts then please leave your comments below.