Phish Cutter - How to Identify Phishing and Phish Tests

Spotting Phishing, Both Real and "Imagined"

Here is some helpful advice for spotting both real phishing and the exams that your employer may use to try to trick you. Don't help your own company build a case against you!

Trick #1: Letter Swaps in the Email Domain

It may seem obvious to you, but when you're going through emails, it's pretty easy to miss the subtle letter swaps in an email address: info@microsoft.com is probably a legitimate sender. info@mircosoft.com probably isn't.

Your email client also likely hides the sender from you, preferring to use the display name, which can be whatever the sender wants it to be. The display name could be Microsoft Support but the sender is from mircosoft.com

Phish Cutter Identifies Letter Swaps

Phish Cutter uses string distance to compare the sender's email address to a list of trusted email domains. If the distance is close, but not exact, then it is a likely that a letter swap is being deployed, and the email is likely phish or a phish test.

Trick #2: Homoglyphs

A homoglyph is a single letter that at first glance may look like a different letter: For example salesforce.com vs saiesforce.com.Similar to a letter swap, the differences can be very subtle and easily missed.

Another kind of homoglyph is a combination of 2 letters that look like a single letter, usually the letter r and n to look like n. In fact Microsoft recently reported a rash of phishing attempts from a rnicrosoft.com

Like letter swaps, attackers will use a legitimate looking name for the display name and a homoglyph in the email domain name.

Phish Cutter Identifies Homoglyphs

Like letter swaps, string distance from a list of trusted email domains is a useful tool at identifying those close, but not exact, emails.

Trick #3: Urgency Language

It's not just "Act Now!" or "Penalties will be enforced." Yes, both attackers and tests will use the same kind of language, but another form of urgency language is a reference to current events. For example, if there's been a big cyber security incident in the field, and then you get something you have to act now, double check that sender's address and look for the letter swap or homoglyph.

Companies who have announced layoffs have also been known to use job interviews as a form of urgency language in phishing exams. Again, use Phish Cutter to help identify homoglyphs and letter swaps to help you.

Phish Cutter identifies urgency language

You can supply a list of words or phrases that Phish Cutter can find in the email subject and body.

Trick #4: Phish Test Headers

If your company phish tests, and they most likely do, then they also likely employ Phish Detection software to prevent phish from ever reaching your inbox. Enterprise email security and phish detection software has been known to block up to 99% of all phishing emails, so if they send you a phishing test, it will likely be blocked.

To get around this, phish testing software vendors will often put non-standard items in the email header as an instruction for the phish detection software to let it through to your inbox.

Popular headers include:

The headers are non-standard and may be vendor specific, so you may have to identify a test first, then examine the email headers to see what they use.

Phish Cutter Finds Popular Phish Test Headers

Believe it or not, you get graded on your phishing exams. Your company doesn't necessarily penalize you for not reporting the phishing exam, but it doesn't reward you for just deleting it or leaving it in your inbox. Phish Cutter explicitly calls out Phishing Exams by looking for popular phish test headers.