Google is your friend. If you get an email that seems to be from Orinoco.com’s finance department telling you they need bank details and including a handy link, you should look their published address up and check with them that way.
You are mostly correct, but as it happens the organisation in question also has credit card details, available from the same page, for those instances where the member owes them money.
If in a month’s time I get another dubious-looking mail saying “okay, now we need to update your credit card details”, I’ll revive the thread
I still recommend looking at the email headers. It should be pretty simple to confirm whether or not it originated from the organization. You can use this Google tool if you’re not familiar with parsing SMTP headers.
I know a company that sends emails like this as part of a mock-phishing attempt to see who is dumb enough to click on the link. I you do, you will be counselled by your supervisor and a couple more failures on your part will lead to other discipline.
(ETA: re mail headers)
I should have said - I did already do this. I’m not completely on top of all the various bits of a mail header, but I can see that all the domain names mentioned in the mail are either something.organisation.com (where organization.com is the correct top level domain) or references to my own isp handling the mail. There’s nothing dodgy-looking in the plain text of the source that’s identifiable from a moderate-noob-look
Like the contents of the message, the writing on the outside of the envelope can be easily forged. Messages from your bank should have a signature on the outside of the envelope*, and headers without that should be rejected by Gmail and Outlook.com. But messages from other senders often have headers that can easily be forged.
* technical details simplified
Most of the email headers, like From and Reply-To, can be forged, but the Received header chain at the start of the message are trustworthy if you know how to interpret them. There are more sophisticated mechanisms to prevent spoofing like DKIM, but just looking at the Received chain will identify most spoof attempts.
Yes, but they shouldn’t be sending out a link like that. Their security depot should know better.
I get messages from my banks and from Visa. Some are legit, some are not. I go to the source directly not using any links in the email.
The received header chain identifies most spoofed email, but it is by no means trustworthy.
“From” and “Reply-To” fields are inside the envelope: they are equivalent to the letterhead on a page. The received header chain is from the outside of the envelope: trusting that a message came from your bank because the received header chain says so is equivalent to trusting that a letter came from your bank because the postman said so.
The Received chain is outside the control of the sender. If you think arbitrary mail servers are compromised then yes, you can’t trust the headers, just like your postman might be in cahoots with someone who’s sending you scammy paper mail. But that’s a much less likely scenario than the sender working alone. The sender has no control over any Received headers prepended to the start of the email after it leaves their computer.
What exactly are you expecting to see in the chain? I have complete control of any chain I wish to include when it leaves my computer, I can spoof my own computer, I can send it directly to Gmail, and after it gets to Gmail, it’s only the Gmail computers.
The only difficulty is getting it accepted by Gmail, and that’s not impossible. Gmail uses a combination of examining the envelope and the message inside to classify mail, and if it was so clear that you could reliably reject it by examining the receive chain, Gmail would already have done so.
You bring additional information when you examine the receive chain, but when it gets to your provider, your provider is just repeating what it’s been told.
A serious possibility too is that hackers have compromised the public-facing login server, but not the back end database servers. So their choices are to try to brute-force guess passwords, wait for people to enter new passwords, or try to trigger new passwords; or maybe it’s not the passwords, it’s the other banking data they can’t access on their own and need for it to pass through the server in clear text.
Highly unlikely, but still - ANY request for credentials or sensitive data that includes a “click here” link is beyond suspect. Any IT department that does not realize this should not be trusted either.
You can make a false chain, saying that your computer accepted the message from BankAhoy, and then you pass it on to Gmail. Gmail is going to show that it accepted it from you. So when looking at the headers I’ll see BankAhoy->Melbourne->Gmail, and I’ll say, what is Melbourne doing in there? I expect the message to come from BankAhoy.
If BankAhoy is using SPF, then Gmail is going to ask BankAhoy, hey, can Melbourne deliver mail for you? And BankAhoy will say no, only BankAhoySMTP can deliver mail for us: spam alert! Take it up a level to DKIM, and BankAhoy will sign their headers, and Gmail will check and see if that signature was made with BankAhoy’s secret key.
Or you spoof BankHello, which is easily spoofable, because they don’t bother with things like SPF or DKIM. Gmail will have a low opinion of them, so their customers will complain of missed messages.
What bothers me is that many legitimate emails use some type of email service, like sendgrid, that re-writes links. I’ve received actual emails from my employer’s security department warning about checking links, which contain re-written links that don’t go where they say, and not as a security test, but as an unintended consequence of the mailing list software.
I agree. Never click a link in an unexpected or unsolicited email. There is no guarantee that it will do what it says.