**''see last modified date at base of all pages''** {{:opencart_-_logo-268x50.png?nolink&200|}} ===== CLNT - EMAIL - SEC - How to check if an email is legit or phishing ===== ---- \\ **Audience:** End users and admins.\\ **Purpose:** Help you decide if an email is legitimate in under 60 seconds.\\ **Updated:** 2025\\ ---- ===== THINK … (before you click) ===== * **Are you expecting anything** right now? * **Are you expecting anything from these people/company**? * If the email mentions **domains/hosting/billing**: ask, *who is my real provider?* If it’s **not** the sender, it’s likely **phishing**. * If it asks you to **click**, **hover** your mouse over the button/link—your mail app shows the **actual URL**. * Want more certainty? In **Outlook (desktop)**: **File → Properties → Internet headers**. Check the true **From**/**Return-Path** and authentication results (SPF/DKIM/DMARC). They must match the brand you expect. * **Geo note:** Country/TLD is only a **weak signal**—attackers use any country and many generic TLDs. Treat geo as **extra-scrutiny**, not a blocker. ---- ===== Quick Email Legitimacy Checklist (Updated) ===== **Stop now if any are true:** asks for passwords/2FA, urgent payment/bank-detail changes, gift cards/crypto, remote access, or you didn’t expect it. **1) Sender** - Name matches someone you know or a real department. - Email **address** matches the real domain (no look-alikes like `rnicrosoft.com`). - **Reply-To** is the same as **From**. **2) Context** - Am I **expecting anything** right now? - Am I **expecting anything from these people/company**? - You were expecting this email (invoice, file, delivery, password reset). - You actually have an account/relationship with the company named. **3) Links** - Hover shows the **same brand domain** (e.g., `https://accounts.google.com/...`). - No link shorteners (bit.ly, tinyurl) or random strings. - No QR codes you’re being pushed to scan. **4) Attachments** - You expected an attachment from this sender. - Avoid risky types: `.exe .js .scr .bat .ps1 .vbs .iso .img .zip .html .htm` - Office/PDF files do **not** ask to “Enable Content/Macros”. **5) Language & look** - Uses your correct name and specific details you recognise. - No odd grammar, threats, or too-good-to-be-true offers. - Branding looks right (logos not blurry; footer/legal normal). **6) Client warnings** - No “External sender” or “Failed authentication (SPF/DKIM/DMARC)” banners. - Not flagged by your mail client as suspicious. **7) Verify safely (don’t use email links)** - Open the website/app yourself from a **saved bookmark** or by **typing** the address. - Call/message the sender on a **known** number/channel to confirm. - For payments/bank changes: do a **voice check** with your contact. **8) If suspicious** - Don’t click, don’t reply, don’t forward (except to IT/security). - Use **Report phishing** in your mail app, then delete. - If you clicked or entered details: **change password**, enable **MFA**, inform IT/bank, run a malware scan. - Optional: forward to **reportphishing@apwg.org**. ---- ===== Visual Example (hover reveals mismatched domain) ===== {{:picture1.png?400|}} ---- ===== Country & ccTLD Reference (weak signal only) ===== ^ ISO ^ Country ^ ccTLD ^ | AF | Afghanistan | .af | | AL | Albania | .al | | AM | Armenia | .am | | AO | Angola | .ao | | AZ | Azerbaijan | .az | | BA | Bosnia and Herzegovina | .ba | | BD | Bangladesh | .bd | | BF | Burkina Faso | .bf | | BG | Bulgaria | .bg | | BH | Bahrain | .bh | | BI | Burundi | .bi | | BJ | Benin | .bj | | BM | Bermuda | .bm | | BN | Brunei | .bn | | BO | Bolivia | .bo | | BS | Bahamas | .bs | | BT | Bhutan | .bt | | BY | Belarus | .by | | BZ | Belize | .bz | | CD | Congo (Democratic Republic) | .cd | | CF | Central African Republic | .cf | | CG | Congo (Republic) | .cg | | CI | Côte d’Ivoire | .ci | | CL | Chile | .cl | | CN | China | .cn | | CO | Colombia | .co | | CR | Costa Rica | .cr | | CU | Cuba | .cu | | CV | Cabo Verde | .cv | | CY | Cyprus | .cy | | CZ | Czechia | .cz | | DJ | Djibouti | .dj | | DM | Dominica | .dm | | DO | Dominican Republic | .do | | DZ | Algeria | .dz | | EC | Ecuador | .ec | | EE | Estonia | .ee | | ER | Eritrea | .er | | ET | Ethiopia | .et | | GA | Gabon | .ga | | GD | Grenada | .gd | | GE | Georgia | .ge | | GH | Ghana | .gh | | GM | Gambia | .gm | | GN | Guinea | .gn | | GQ | Equatorial Guinea | .gq | | GT | Guatemala | .gt | | GW | Guinea-Bissau | .gw | | GY | Guyana | .gy | | HN | Honduras | .hn | | HR | Croatia | .hr | | HT | Haiti | .ht | | HU | Hungary | .hu | | IN | India | .in | | IQ | Iraq | .iq | | IR | Iran | .ir | | JM | Jamaica | .jm | | JO | Jordan | .jo | | JP | Japan | .jp | | KE | Kenya | .ke | | KG | Kyrgyzstan | .kg | | KH | Cambodia | .kh | | KI | Kiribati | .ki | | KM | Comoros | .km | | KN | Saint Kitts and Nevis | .kn | | KP | North Korea | .kp | | KR | South Korea | .kr | | KW | Kuwait | .kw | | KZ | Kazakhstan | .kz | | LA | Laos | .la | | LB | Lebanon | .lb | | LC | Saint Lucia | .lc | | LK | Sri Lanka | .lk | | LR | Liberia | .lr | | LS | Lesotho | .ls | | LT | Lithuania | .lt | | LV | Latvia | .lv | | LY | Libya | .ly | | MD | Moldova | .md | | MG | Madagascar | .mg | | MK | North Macedonia | .mk | | ML | Mali | .ml | | MM | Myanmar | .mm | | MN | Mongolia | .mn | | MR | Mauritania | .mr | | MT | Malta | .mt | | MU | Mauritius | .mu | | MW | Malawi | .mw | | MX | Mexico | .mx | | MY | Malaysia | .my | | NE | Niger | .ne | | NG | Nigeria | .ng | | NI | Nicaragua | .ni | | NP | Nepal | .np | | OM | Oman | .om | | PA | Panama | .pa | | PE | Peru | .pe | | PG | Papua New Guinea | .pg | | PK | Pakistan | .pk | | PL | Poland | .pl | | PR | Puerto Rico | .pr | | PS | Palestine | .ps | | PW | Palau | .pw | | PY | Paraguay | .py | | QA | Qatar | .qa | | RO | Romania | .ro | | RS | Serbia | .rs | | RU | Russia | .ru | | RW | Rwanda | .rw | | SA | Saudi Arabia | .sa | | SB | Solomon Islands | .sb | | SC | Seychelles | .sc | | SD | Sudan | .sd | | SG | Singapore | .sg | | SI | Slovenia | .si | | SK | Slovakia | .sk | | SL | Sierra Leone | .sl | | SM | San Marino | .sm | | SN | Senegal | .sn | | SO | Somalia | .so | | SR | Suriname | .sr | | SS | South Sudan | .ss | | ST | São Tomé and Príncipe | .st | | SV | El Salvador | .sv | | SY | Syria | .sy | | SZ | Eswatini | .sz | | TJ | Tajikistan | .tj | | TL | Timor-Leste | .tl | | TM | Turkmenistan | .tm | | TN | Tunisia | .tn | | TO | Tonga | .to | | TT | Trinidad and Tobago | .tt | | TV | Tuvalu | .tv | | TW | Taiwan | .tw | | TZ | Tanzania | .tz | | UA | Ukraine | .ua | | UG | Uganda | .ug | | UZ | Uzbekistan | .uz | | VC | Saint Vincent and the Grenadines | .vc | | VE | Venezuela | .ve | | VG | Virgin Islands (British) | .vg | | VI | Virgin Islands (U.S.) | .vi | | VN | Vietnam | .vn | | WS | Samoa | .ws | | YE | Yemen | .ye | | YU | Yugoslavia | .yu | | ZA | South Africa | .za | | ZM | Zambia | .zm | | ZW | Zimbabwe | .zw | | AX | Åland Islands | .ax | | FO | Faroe Islands | .fo | | GI | Gibraltar | .gi | | GL | Greenland | .gl | | GG | Guernsey | .gg | | JE | Jersey | .je | | MF | Saint Martin (French part) | .mf | | MQ | Martinique | .mq | | RE | Réunion | .re | | SX | Sint Maarten (Dutch part) | .sx | | SH | Saint Helena, Ascension and Tristan da Cunha | .sh | | PM | Saint Pierre and Miquelon | .pm | | TF | French Southern and Antarctic Lands | .tf | | WF | Wallis and Futuna | .wf | **Notes:** *.yu* (Yugoslavia) = **retired**.\\ *.mf* (Saint Martin, FR) = **reserved/not generally in operation**.\\ **Reminder:** ccTLD/country is a **weak** indicator. Always prioritise **SPF/DKIM/DMARC**, link/attachment analysis, sender reputation, and business context.\\ ---- ====== WHAT TO DO If You Clicked — And If You Entered Info ====== **Audience:** End users (with quick admin notes).\ **Goal:** Fast, idiot-proof actions that limit damage.\ **Use when:** You clicked a suspicious link OR you entered details on a fake site. ---- ===== 0) TL;DR ===== * If you only **clicked**: **Disconnect** → **Close browser** → **Clear data** → **Scan device** → **Change passwords** (if prompted/logged in). **Report it**. * If you **entered any info**: **Change that password NOW (from a different device)** → **Enable/confirm MFA** → **Sign out of all sessions** → **Remove risky mail rules / app tokens** → **Notify bank/IT** → **Report it**. ---- ===== 1) Scenario A — Clicked the link, did NOT enter anything ===== **Within 10 minutes** - Disconnect from the internet (Wi-Fi off / Airplane mode) if anything started to download. - Close the tab/app. If it won’t close, reboot. - **Clear only the phishing site’s data**: * Chrome/Edge: Menu → Settings → Privacy → Cookies & Site Data → **See all site data** → search the domain → Remove.\\ * Safari (iOS/macOS): Settings/Preferences → Safari → Advanced → Website Data → search → Remove. - Delete any **downloaded** file (especially `.zip .exe .js .scr .bat .ps1 .html .iso .img`) without opening. **Within 1 hour** - Run a security scan:\\ * **Windows:** *Windows Security* → Virus & threat protection → **Scan options → Microsoft Defender Offline scan**.\\ * **macOS:** Update macOS, then run a full scan if you have reputable AV.\\ * **Android:** Play Store → Play Protect → **Scan**.\\ * **iOS/iPadOS:** Update iOS; Settings → General → **VPN & Device Management** → remove unknown profiles. - If that browser was already **logged in** to email/banking, change those passwords as a precaution. **Report** - Use **Report phishing** in your mail app and send the message to IT/security.\\ - Optional public reporting: **[[https://www.scamwatch.gov.au/|ACCC Scamwatch]]**, **[[https://www.cyber.gov.au/report-and-recover/report|ReportCyber (ACSC)]]**, **reportphishing@apwg.org**. ---- ===== 2) Scenario B — You entered info on the phishing site ===== Do **all** applicable items below, in this order. **A) If you entered your work or personal account password** - From a **different, clean device**, go change the password **immediately**. - Turn **MFA on** (or re-enrol a fresh MFA method). - **Sign out everywhere**:\\ * Google: myaccount.google.com → Security → **Manage all devices** → Sign out of unrecognised devices; **Third-party access** → Remove unknown apps.\\ * Microsoft 365: myaccount.microsoft.com → Security info → **Sign out everywhere**; **Apps & services** → Remove unknown OAuth grants. - Check **mail rules** and **forwarding**: * Look for auto-forward to unknown addresses, reply-to changes, or auto-delete rules. Remove anything suspicious. **B) If you entered card or banking info** - Call your bank immediately (use the number on the card/official app) → **block the card** and **dispute** any charges. - Turn on transaction alerts. Consider a **temporary credit ban/freeze** with AU credit bureaus (Equifax, illion, Experian). **C) If you entered ID documents (driver’s licence, passport, Medicare)** - Contact the issuing authority to **flag** or **replace** the document number (as per their policy). - Get identity assistance: **[[https://www.idcare.org/|IDCARE]]** (AU/NZ identity support). **D) If you installed anything or accepted an extension** - Uninstall the app/extension. Reboot. - Run the scans listed in *Scenario A* (Defender Offline etc.). - For managed work devices: **isolate** the device and notify IT to run full EDR scans. **E) Tell IT/Security (work accounts)** - Send the original email (as attachment if possible) and include: your username, time clicked, data typed, files downloaded, current device state. - Expect IT to: force password resets, revoke sessions/tokens, check mail rules, scan hosts, and monitor sign-ins. ---- ===== 3) What NOT to do ===== - Don’t keep browsing the phishing site “to look around.” - Don’t reply to the attacker or use links/phone numbers provided in the email. - Don’t reuse the compromised password anywhere else. ---- ===== 4) Aftercare (next 24–72 hours) ===== - Watch your inbox for password-reset emails you didn’t initiate. - Review recent account activity/sign-ins; enable **login alerts**. - For banking: monitor transactions; keep your case reference from support. - Consider a **security check-up** (Google/Microsoft account security pages). ---- ===== 5) Optional: Template to report to IT ===== (see [[https://wanip.io|wanip.io]] for info below) > **Subject:** Possible phishing — clicked/entered info > **When:** YYYY-MM-DD HH:MM (local time) > **From address of email:** (copy/paste) > **Link hovered/visited:** (full URL) > **What I did:** Clicked only / Entered password / Entered card# / Downloaded file (specify) > **Device & OS:** (e.g., Windows 11 laptop) > **Browser:** (e.g., Chrome) > **Actions taken so far:** Disconnected, cleared site data, Defender Offline scan, changed password, enabled MFA, notified bank, etc. > **Attachments:** Original email (.eml/.msg) and any screenshots. ---- ===== 6) Quick Reference (one-minute flow) ===== - Clicked? **Disconnect → Close → Clear site data → Scan → Report.**\ - Entered info? **Change password (other device) → Enable MFA → Sign out everywhere → Remove mail rules/OAuth apps → Notify bank/IT → Report.**