How to spot a phishing email message - hover to uncover

Phishing emails are those emails that we all see on occasion that attempt to trick the recipient in to giving up some sensitive information such as login IDs and passwords, social security numbers, banking information, etc. Most of these emails have reached a level of sophistication that often makes it hard to identify them from the real thing. So how do we do it?

One thing all of these emails have in common is that somewhere in the email is a link that they want the recipient to click on.  The trick is in knowing where that link is going to take us. This is where “hover to uncover” comes into play.

Every link has two components, the label and the address. The label is the part you see and can be anything. The address is the underlying component that determines where the browser will go when the link is clicked. This is the part we need to uncover. To do that, simply hover the mouse cursor/pointer over the link without clicking. An info bubble will open and show the address.  In the following example we see a link that says “Click here," but when we hover over the link the uncovered address shows http://badguy.site.com.

phish1

If this link were in an email that seemed to come from the UNC Health Care Service Desk, the fact that the link didn’t point to an address that included unch.unc.edu would tell us this is a link we don’t want to click on. But what if the label showed http://helpdesk.unch.unc.edu instead of Click here? That would mean it’s safe right? Keep in mind that the label can say anything and it is the underlying address that is important. So again, if we hover to uncover, we see the following.

phish2

So even if the label says something that looks legitimate, the underlying address still goes to a different place, in this case http://stillabadguy.ru. Also keep in mind the important thing is not necessarily what the address points to, but rather what it doesn’t point to. If the email says it is from the UNCH Service Desk or another UNCH entity and the link doesn’t contain unch.unc.edu in the address, it isn’t a valid email.  Also be wary of links that are close but not quite. Smart phishers may construct links that include unc, unch, or some other similar element to make it look legit. 

The following is an example of a phishing campaign that was recently active in the UNCH email system. The label shows CLICK HERE. Hover-to-uncover shows http://unc-edu-edu.weebly.com. So while this link contains elements that include unc and edu, it does not contain the exact domain unch.unc.edu. Close, but no cigar. This would not be a legitimate link in the context of the email.

phish3

So just remember, taking a few extra seconds to hover to uncover before clicking on a link in an email can help you avoid getting caught in a phisher’s net. If you are still uncertain about the email, please contact the UNC HCS Service Desk at 984-974-4357.

Filed under: