The "Single-Slash Double-Dot" rule for identifying spam links in phishing emails

This article is about email phishing, and spam-links in emails: how you can recognize them and what to do about them.


Understanding Spam vs Phishing


Most people know what regular spam is. Phishing is a more sophisticated type of spam, which combines information that the spammer knows (or guesses) with conventional spam techniques. Often phishing emails are addressed directly to you, and offer a "product" or "service" that you might realistically want. For example, they may offer to fix a security problem with your on-line banking (just as soon as you have gone to their website and given them your real on-line banking details).

Bloggers are particularly susceptible to phishing emails, because we write websites where we share information about ourselves. For example, anyone who reads Blogger-hints-and-tips should have no trouble guessing that I use both Amazon Associates and Chitika, and that I have a domain hosted with DomainDiscount24.  It's not much harder to work out that I'm interested in folk-music, and know a lot about public transport in my city. And even though I don't display my email address on the blog, it isn't that hard to guess from some of the screen-shots I use, or by subscribing to my RSS feed.    And you might be even more vulnerable if you link your blog to your Facebook profile instead of a Page.


Protecting yourself from Phishers

ISPs and email services detect and delete most regular spam emails before they are delivered. But this is harder to do with phishing emails, because they often look genuine. So you need to protect yourself against phishing.

The best way to do this is to be curious-and-cautious about any email you receive. There are lots of suggestions below about what this means, and what characteristics to look for. None of them can give a 100% certain answer about whether a message or offer is dodgy. But being aware of the sort of things you need to check, and in particular the "single-slash-double-dot" rule for checking links, is a an excellent start.


How to spot phishing emails

An email message may be a phishing attempt if some of the following are true:
  • You were not expecting the message, or any contact from the organisation it apparently comes from.
  • You've never heard of the organisation or company that it comes from - or you don't have any dealings with them.
    (That said, sometimes unknown organisations do contact you - try to establish their legitimate website or phone number from another source, to check if they're "for real" or not).
  • The message asks you to confirm account details by giving some personal information: no reputable company will ever want you to do this by email. Intelligent reputable companies will not expect you to do so by clicking on links in their website.
  • The message tries to make you respond quickly, to stop something bad from happening. (Basically, they're trying to stop you from thinking about the message before you respond to it.)
  • An email doesn't have your address in the To field - or it has your address and many others which you don't know.
  • The message-body doesn't start with your name (eg if it says "Dear Customer" instead of "Dear Joe Soap")
  • The from address, or the name as the bottom of the message (like the "signature" in a paper-based letter) is missing, or seems strange given where the message came from.
  • Bad spelling. Bad grammar. Poor formatting. Odd looking graphics / pictures / logos. Strange sentence structures (either to try to trick you, or because the author doesn't know your language well).

None of those features guarantee that a message is dodgy. But any of them should be enough to make you a little suspicious.

But there are some features that are more of a give-away:
  • The URL / hyperlink in the message isn't the right one for the company (eg it's from www.ebay.org instead of www.ebay.com)
  • The message contains a link which doesn't match the website show when you hover the mouse over it eg www.amazon.com - notice that it's linked back to Blogger-HAT instead of to the real Amazon.
    NB Even if a link looks like a link, ALWAYS check where it goes to by hovering your mouse over and seeing what the "tool tip" text is.
  • The message uses an URL shortening service (eg tinyurl.com, bit.ly, goo.gl) which stops you from checking where the link really goes.
    (This is a good reason why you shouldn't use link shortening services yourself:  they make it look like you have something to hide. Whenever I tweet about a post, I always put in the full URL: even though Twitter doesn't display all the characters in the message, they are available to anyone who hovers over the link).


A simple rule for evaluating links:

The last three points are the most helpful - but they rely on you being able to look at a website-link and know if it's spammy or not.

And spammers know that it's easy to confuse people by showing them long, complicated real links, that superficially look like real ones.  For example, consider
www.cnn.com.newslist.2013-01.headlines.trouble.com/headline-listing/xx03/index.html
Lots of people will look at this, see the "cnn.com" and think "ahh, that's a reliable news site, it must be fine."   But that's not actually true.

Fortunately there's a simple rule that you can use to find the real website that a link points to. It is
Single-Slash, Double-Dot

To use it, look at where the the link really goes (by hovering the mouse above it) and:
  • Find the first single forward slash
  • Look at the words between the two or three dots just before the slash
  • Decide if the link is genuine, based on these words.

The Single-Slash Double-Dot rule explained


In the example above, the first single forward slash is actually half-way through the link:
www.cnn.com.newslist.2013-01.headlines.trouble.com/headline-listing/xx03/index.html

So the website that it is pointing to is actually trouble.com - which might not be a place that you want to visit.  Compare this with
http://www.bbc.com/future/story/20130129-blue-heart-of-the-planet
where the first single-slash is quite near the start, just before the very genuine www.bbc.com.

In summary, the website name between these two or three dots should match the one that is shown in the email, and should be the right one for the company. For example, one of these points to the real TradeMe, and one doesn't:
TradeMe 
TradeMe
(Yes they look the same:  remember you need to start by hovering your mouse over the links, to find out where they really point to.


Two vs three dots?

You sometimes have to check back three dots because some countries have two-level internet addresses. For example, instead of .com you will find
  • .co.uk - in the United Kingdom (two level, so you need to check three dots)
  • .com.au in Australia (again,two level, so you need to check three dots)
  • .ie - in Ireland, (single-level, so you only need to check two dots).

So like the many internet security issues, there are still judgements you need to make, and knowledge you need to apply.   But still, it's fair to say that you can ...
Use the single-slash-double-dot rule to work out where the link in an email message really goes to.
[Tweet this quote].


What do to if an email or link is suspicious

With old-fashioned spam, the rule was always to delete the message, no questions asked.

With suspected phishing emails, it's a little harder.   You need to make a judgement:
  • What are the chances that this is genuine?/
  • What are the consequences if it is genuine, but I ignore it?
  • Is there some other way that I can check out this out, without clicking on the link in the email? For instance by going directly to the banks' website by typing in the address myself - or by phoning the person to ask if they really did email me.

You need to weigh up these three factors, and based on them decide whether to investigate further (eg by going to the website directly, or emailing the sender for more information, whether to trust the email message, or to just delete it.


TL/DR:

Phishing emails use information about you to personalize spam.

Apply common sense and intuition to every email that you receive. Check that links go where they are supposed to - and don't click them if they don't.

Use the single-slash-double-dot rule to work out where the link in an email message really goes to. [Tweet this quote]






Related Articles:

Displaying email addresses on your blog

Offering an RSS feed

Linking your blog to your Facebook profile

How to make a "tweet this quote" option.


EmoticonEmoticon