Identifying Illegitimate Email Links

Malware spreads via links disguised in legitimate-looking emails. Learn how to determine if the links in your emails are safe before clicking on them. 

This KB Article References: eFax
This Information is Intended for: Instructors, Staff
Created: 05/07/2014 Last Updated: 04/08/2024

You should be wary of links you receive in emails, especially if the email was unsolicited. There are several things you can do to determine the legitimacy of the email without clicking the link (often, if the link is malicious, just clicking the link is enough to install the malware on your computer). 

Note: While this article uses an email claiming to be from eFax as an example, the process for discerning if a link is legitimate can be applied to any email that you receive. There have been similar scams involving emails claiming to be from Microsoft, USPS, and other legitimate groups. 

I. Check for "Warning Flags" in the Email

Illegitimate emails usually have at least one of the following:

  • Spelling/grammatical errors in the body text of the email
  • Long, alphabetical lists in the "To:" field 
    • Or nothing in the "To:" field
  • Vague "Subject" line
  • Missing salutation ("Hello", "Good afternoon", etc.)
  • Sense of urgency (i.e., "This link will expire in 24 hours")

An email with these characteristics is suspicious, and should be viewed with caution (don't click on links, open attachments, etc.).

II. Check Links for Legitimacy

If a suspicious email contains a link, you can verify its legitimacy. Move your cursor over the link, but do not click it, hold your cursor there for a few seconds, and the destination of the link will pop up. A link that appears to go to one location, but actually links to another is a big red flag.

In the example below, the link text reads "http://www.efax.com/fax..." and it appears to be legitimate, but when the cursor is hovered over it, we can see that it actually links to "http://slash.ma/efax_7132159010.doc". Always check the destination of links before clicking on them.

To try and appear legitimate, these emails will often include links to valid pages. In the example below, the email does include a link to a help page on the legitimate eFax website.  A fraudulent email may contain legitimate links, so be cautious. 

Screenshot of eFax e-mail and important attributes to review. 

III. Check Phone Numbers for Legitimacy

Some fraudulent emails (especially those claiming to be from eFax or eVoicemail) will contain a phone number. Just as we analyzed the link without clicking it, we will check the phone number without calling it. 

  1. Go to http://www.whitepages.com/
  2. Click on Reverse Phone Lookup
  3. Enter the number
  4. A strange/unexpected location is a red flag

Reverse lookup of phone number using whitepages.com 

IV. Scan the Links

VirusTotal is an online service that can be used to verify the legitimacy of links. To scan a link

  1. Go to https://www.virustotal.com/
  2. Click URL
  3. Enter the destination of the link
    • You have to manually type in the link (do NOT copy and paste from the email), as in the example above, the link appears to go to an eFax page, but it really goes to a slash page; copying and pasting the link from the email would cause VirusTotal to analyze the legitimate eFax page, rather than the actual destination of the link
  4. Click Scan It

Screenshot of virustotal.com

VirusTotal will generate a report, here are things you should take note of
  • Detection ratio: this number indicates how many vendors recognize it as malicious - a legitimate site should have a score of 0
    • If your link has a score of 0, click "Reanalyze" to confirm that the site is legitmate  
  • Analysis dates: if the email claims to link to something personal (as in this example, a fax), then there should be no "last analyzed" date, as your link would be unique

Review the malware scanner's feedback 

You can also view a more detailed report by clicking "View last analysis". This will list specifically what the page was detected as - just one "Malware Site" detection should indicate that the webpage is illegitimate.
 

Malware scanner's results showing detected malware

V. Scan the Download

While on the same VirusTotal page, click on download file analysis. This will open a similar-looking page; however, this page lists what (if any) antiviruses have detected the file as malicious. If your file has ANY malicious results, DO NOT download it

Malware deteced in the "Downloaded File Analysis" section of virustotal.com 

The Email is Fraudulent, What Now? 

In this example, the email is not legitimate and downloading the fraudulent fax would result in a virus infection. If you find that you've received an email  that's fraudulent, you should mark it as spam - this will help to improve Google's filters. As a precaution, you should empty your spam folder after marking the email as spam. 

For More Information Contact


Customer Engagement and Support

Related Information