Anatomy of a Phishing Email

Somebody I know and don’t particularly like, but also don’t wish any ill upon, recently fell victim to a scam, and lost around $20,000. That angries up my blood, so I thought I’d go over what a typical phishing email looks like, and what you can do when you get one, using an example I recently received. I know this will probably be old hat for most of you, but it can’t hurt to have a refresher on the subject. So here we go:

Identifying a scam email

Let’s take a look at one I just received and point out the red flags:

Starting at the very top, we see that the return address, ain’t exactly American Airlines. It’s not even in America; the .sn country code tells us the email address is registered in Senegal. It’s actually easy enough to forge a return address in an email, in order to add a little more verisimilitude to the scam. But the scammer likely realizes that their victim may just reply to the email instead of following its links, so that email address is likely real, and being monitored by the scammer.

Next, we have “Dear valued customer.” This same email likely got sent to thousands of recipients, so personalization wasn’t an option. Keep in mind, though, that a lot of email lists circulating among scammers also contain user names, so it’s possible for a phishing email to look more personalized and legitimate.

Moving on, we have the grammar. It’s not too bad in this one, probably because it was cobbled together from legitimate American Airlines emails. The fourth paragraph is a dead giveaway though: “You are receiving travel offers for flights departing from as it is selected as your preferred country of departure.” That makes no sense in this context; this is an email purporting to confirm the purchase of a ticket. Incidentally, phishing emails may have bad grammar because most originate from overseas, and the scammers who come up with them often don’t speak or write English as a first language. But there’s also evidence to suggest they purposefully use poor grammar in an attempt to focus their efforts on victims they perceive to be the most gullible.

Finally, we have the links in the email, which are the real smoking guns. Emails almost always come in HTML format, which can hide the true target that a link points to. For example, this link,, doesn’t actually go to The Avocado. Fortunately, pretty much all modern email clients will show a link’s true destination if you hover your mouse on it. Thunderbird, for example, shows it in the lower left corner of the email window:

The highlighted link, which purports to point to, actually points to, a page owned by the scammer. In fact, all links in this email go to the same destination, regardless of what the link claims.

How the scam works

This email is almost certainly a refund scam. Refund scams try to convince their victim that some purchase has been made using their credit card without their knowledge or consent. The victim contacts fake American Airlines customer support, gives them the “client request number” (which means absolutely nothing) and the scammer will tell them that some amount of money, usually in the hundreds of dollars, was deducted from their bank account or credit card. The scammer will then walk their victim through a fake refund process by first getting them to install a remote access tool, Like GoToMyPC. Next, they will ask the victim to sign into their online banking system. Since direct bank transfers can be tracked and reversed, the scammer won’t simply clean out the victim’s accounts. Instead, they’ll take control of the victim’s PC, blank the screen so that the victim can’t see what’s going on, then edit the web page being displayed so that it looks like they just refunded the amount plus a whole lot more on accident. For example, if they say they owe the victim $400.00, they’ll make it look like they accidentally refunded $4,000.00. They’ll then make a big stink about how they’re going to lose their job over this mistake, and try to guilt the victim into sending them the difference. If that doesn’t work, they usually try to scare the victim into sending them the money by claiming it’s theft if they don’t. Once the victim agrees to send the money, the scammer will usually instruct the victim to purchase an equal dollar amount in gift cards, which are pretty much untraceable and can be cashed in by the scammer online. To add insult to injury, the scammer will often scrape all the personal data they can get from the victim while they’re on their PC, and they might even install ransomware just to squeeze the victim that much harder.

What you can do

The safest thing you can do with a phishing email like this is just delete it. Some email clients also have a spam report feature, though I don’t know how effective it is at fighting spam. It can be tempting to try to bait the scammer, but remember that if you do, you’re confirming that your email address is live, which only invites more spam. NEVER click a link inside a scam email! Treat all links in a phishing email as hostile.

If you’re feeling froggy, though, there are steps you can take to try to make the scammer’s life a little more difficult. Remember that link up above, the one that pointed We can use a tool called the ICANN domain lookup to see who owns Let’s go to (a valid link this time, I promise) and enter that domain name into it:

That’s not too terribly useful, but when we scroll down, we do get a few useful tidbits of information:

Now we have someone to complain to. In this case, it looks like is hosted by a company called TierraNet, and they’ve provided both an email address and phone number to report abuse. So I did just that, and the next day, I got this message in reply: is likely a valid but badly-secured webpage that got hijacked by scammers. Their webmaster is probably having a very bad day, but at least they’re no longer unwittingly helping scammers steal money. Will this put the scammer out of business? Probably not; they may have several hacked websites they use to run their scams. But it does at least make this scam that much more difficult to run, and everyone who received the same email I did is now much less likely to fall victim to it.