Detecting and Combating Phishing | By Matthew Kafami

This article is from  Academic Trends in Digital Forensics edition, that you can download for free if you have an account on our website. 

Detecting and Combating Phishing

Introduction: Chances are you have seen phishing emails; you may have even been the victim of one. You know, the email claiming to be from your bank warning you that your account may have been compromised and requesting you verify your identity by providing your username, password, and answers to your security questions. Additionally, this email will more than likely contain a link to a webpage that looks identical to the site you are familiar with, with a similar layout, choice of text and font, and accurate logos. Do not enter your information. In fact, don’t even click on the link provided in the email without first performing the steps that follow.

Phishing – An Overview: Phishing is a common attack employed by hackers that focuses heavily on psychology by crafting messages that usually create a sense of urgency and stem from a place of authority. Attackers commonly use tools like the Social Engineering Toolkit to imitate an official webpage to make their malicious sites harder to distinguish, thus increasing the likelihood of success. These messages often look something like this:

Dear Valued Member,

Our records indicate the password for your bank account is about to expire, in which case your account will be frozen until proper identity verification can be provided at your local branch. Please use the secure link provided below to update your password and avoid your account being frozen.

Your Bank

The link provided in most of these emails will likely be a domain in one of two formats: domain squatting or a hijacked domain. A squatted domain is one that looks similar to a legitimate link. For example, instead of linking to, the link might show, with two instances of the letter “a”. The second letter “a” may go unnoticed if read fast enough with other priorities on your mind, like your bank account potentially being frozen because of an expired password. Hijacked links on the other hand are URLs that start completely different from whatever organization the attacker is attempting to mimic. This is usually due to hackers gaining administrative access to other sites and adding the necessary HTML, CSS, PHP, and or Javascript code to that compromised site in order to appear like the intended site. For example, a locally owned and operated florist’s website may have been compromised and now has a webpage with a URL like this:, where the primary domain is and /USBank/reset-password has been added as a subdirectory.

However, some, if not most, email services offer some way to change the text displayed on a link. For example, in Gmail there is an option to insert link a few icons to the right of the send button. Clicking this will summon a new window as seen below:

The Text to display option will be the only text visible when the link is added to the email, which means a hacker could potentially provide what appears to be a completely legitimate link that masks the malicious URL you will be directed to upon following the link.

Often, the page you will be directed to will include form boxes (the space in which you enter your responses) for the “old” or “current” password, your “new password” and another box to confirm that password. Some hackers even go so far as to replicate the password recovery page and include form boxes for your security questions, complete with dropdown menus and some of the most common questions from which to choose (i.e. mother’s maiden name, city of birth, first pet’s name, etc.) in an attempt to increase the success rate of the attack. An illustration of this can be seen below:



If the user misses all of the signs of phishing up to this point, Figure 5 shows the next web page in this hijacked site requesting the user update contact information, except the contact information being requested is highly suspect: a USAA Member Number (something a user should not be able to manipulate in any form from a legitimate bank), the user’s email password, Social Security Number, PIN, and card information. No contact form requests this information.

Reacting To Phishing Content: When you come across what you suspect to be phishing content, you need to react using a three-step process:

  1. Confirm – confirm the email is truly phishing content and is intended to be malicious.
  2. Report – report the malicious content to the organization being impersonated.
  3. Alert – alert the organization being impersonated to monitor your account for suspicious activity.

Confirm: As you saw in Figures 1-5, it is important to be able to discern legitimate emails from phishing content. Once you know how to detect phishing content, you need to know what to do if you receive an email from any organization or individual appearing to represent an organization that holds any of your personal, financial, or health related information, read the message completely. Look for typos and grammatical errors, most legitimate organizations will send correspondence that is free of error. Additionally, look at what, if anything, is being asked of you. Some organizations, in an effort to combat phishing, will simply alert you of an upcoming password expiration and prompt you to navigate to their website yourself to log in, rather than include a link within the message.

If a link is included in the message, you can display the actual address you will be directed to by hovering your cursor over the link. This display will appear in the lower left corner of your browser window. If the displayed text matches the link in the message, the likelihood of the message being legitimate increases. If you’re still not sure, you can click on the link and then start removing subdirectories from the URL. For example, the link will likely look like this: If you removed “password-reset” from the link and hit enter, a legitimate link should still display something that resembles something similar to organization’s official site. If you remove the “login” subdirectory, the “” link should definitely directly you to the official webpage. Often times, whether a dedicated domain or a hijacked domain, the base directory of a phishing site will be a basic HTML page with links to the actual phishing content, and look nothing like the organization’s official page.

If you’re still not sure, you can take the link and drop it through a search bar in a site like, you can reference information such as the owner’s contact information, registration date, and geographical location information to help determine whether the link is legitimate. Official domains will usually show as having locations similar to that of the organization’s headquarters and some sort of owner’s information. Malicious URLs will usually hide the owner’s information and will also have a noticeably shorter registration date.

If you’re still not entirely sure after having taken all these steps, take the initiative to contact whichever organization is requesting information from you to verify the correspondence is legitimate. For example, if you’ve received a legitimate email from a bank, that bank will more than likely be able to check your account in their system and confirm whatever the email is claiming. If it turns out that the organization has no record of whatever the email is claiming, they may be able to help give some direction on which actions to take.

It is especially important to note that if you do happen to become a victim of phishing, you may need to update security settings on more accounts than just the account that was compromised, as people are creatures of habit and you have likely used the same security credentials across several accounts.

Report: This next step is crucial to helping prevent others fall victim to the same phishing content sent to you; report it. Most email service providers have an easy way to report email addresses being used to spread phishing content. For example, within the message itself in Gmail, there is a button composed of 3 dots to the far right of the email header. Clicking on this will provide a dropdown menu with an option to report phishing. A new window will appear to confirm that you want to report the email as phishing, at which time the message will be sent to Google for review.

You can also report the malicious link in an effort to have the content removed by using tools like to obtain contact information for the hosting provider and domain registrar, which both more than likely have an abuse contact email address dedicated to accepting reports of malicious and illegal content from people like yourself. In the case of hijacked sites, you might even go so far as to reach out to the site’s owner (if their contact information is not protected by an anonymity service such as WhoIsGuard) and let them know their site has been hijacked.

Alert: Alert the organization being impersonated. This will let the organization know to monitor your account for suspicious activity and keep you informed of any anomalies. Also, if you receive an email looking for such detailed information, it’s likely that others have received the same malicious requests. Alerting the organization often helps prevent more than just you from being at risk of compromise. Most organizations will have a security team monitoring for suspicious activity as well as compromised credentials using sites like PasteBin and HaveIBeenPwned, websites where compromised credentials usually end up.

Conclusion: Using the information gained from this article you now have a better idea of how hackers attempt to gain access to your account information, how to react to such attempts, and how to verify the content’s legitimacy. Additionally, you now have the resources necessary to help prevent others from becoming victims of the same attack by reporting the content in an attempt to have it removed.

Did you liked the article? If you want to read more similar digital forensics academic papers check the full free edition:

Academic Trends in Digital Forensics >>

Related Magazine

May 14, 2019

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013