Assessing an Email’s Legitimacy

Dubious email from Wells Fargo

I recently received an email sporting “Wells Fargo” logos. It asked me to do a survey. It was actually sent from the domain ‘morpace.com,’ which used to belong to a product survey company. When I googled the name ‘morpace’ the first thing I found was that the company had probably changed its name over a year ago. That’s a red flag.

It’s easy to forge an email message. What do we do to detect forgeries or likely forgeries?

Here are the top questions to ask about a possibly fake email:

1 – Does the “From” address make sense?

This is one of the easiest flaws to spot. Most phishing emails are slapdash affairs. I often see a From address like this:

From: Wells Fargo Bank Anti Fraud Unit <joejones1234@gmail.com>

I don’t expect to see a company send an authoritative email from a personal email account (remember Hillary Clinton‘s emails?). Joe Jones #1234 might be an anti-fraud person at Wells Fargo, but I doubt he’ll send official emails through a personal Gmail account.

2 – Do I care about this email?

Avoid wasting time on unimportant emails. If you delete unimportant emails without displaying them, you reduce your Internet risks.

If the From address seems legitimate, and the email’s subject looks relevant to me, then I might probe a bit further.

3 – Do the Contents Make Sense?

I read the email’s claims to make sure they make sense. I found two red flags.

My first red flag was the promise of $10,000. The fine print assured me that my reply was really only worth $2, but the big amount distracted me. I don’t like distractions when I’m feeling suspicious.

The second red flag was the claim that Morpace is a market research firm working on behalf of Wells Fargo. The company is now called “Escalent,” though I’m not sure why that’s a better name.

In hopes of understanding Morpace’s relationship to Wells Fargo, I replied to the email. The reply was directed to an email at “morpace.wellsfargo.com.” I received a reply, which shows that at some time Wells Fargo had set up email for a project with Morpace. Could a hacker have taken over the now-abandoned Morpace email addresses at Wells Fargo? The technology behind such an arrangement makes it possible, though unlikely.

The Third Party Email Problem

Lots of companies hire third parties to send emails on their behalf. Entire industries rely on this. While I “feel their pain” at needing to cheaply send emails without bothering with lame details like authenticity, it’s still their responsibility.

There are several ways that a third party vendor could provide some assurance they speak legitimately on behalf of their client. For example, Wells Fargo could have an entry on their web site assuring people that this company has a contract with them, and vouching for the email address they use. Wells Fargo went to at least that much trouble to set up their “morpace” subdomain.

4 – What server actually sent me the email?

This requires some technical effort: we need to look at the hidden headers on the email. On MacOS the email client gives us two ways to do this using the “View -> Message” menu entry

  1. All Headers: shows all of the hidden email headers, which is what we need. Some versions seem to sort the headers to put the “Received” headers first.
  2. Raw Source: shows the email as a plain ASCII text file. This also shows us the hidden headers, since the headers are required to be ASCII text.

To find the email’s sender, you go to the first “Received” header, which is the last one in the set of headers. Here’s what it might contain:

Received: from mailer.morpace.com     (mailer.morpace.com [67.107.47.145])    (using TLSv1.2 with cipher     ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))    (No client certificate requested)    by mx1.messagingengine.com     (Postfix) with ESMTPS    for bob@sample.com;     Thu, 22 Aug 2019 11:02:21 -0400 (EDT)

The Received header contains several parts of interest. A particular Received header may contain some or all of these parts, or other parts. The SMTP software decides what information it provides.

  • from: the host sending or forwarding the email (mailer.morpace.com)
  • by: the host receiving the email (mx1.messagingengine.com)
  • with: the email service software (ESMTPS)
  • for: the intended email recipient (bob@sample.com)
  • the date of receipt (22 Aug 2019)

In this case, the server was “mail.morpace.com,” which is consistent with the rest of the email.

Conclusion

Here’s what we know, based on the information I found:

  • The email From address morpace.wellsfargo.com is an address belonging to Wells Fargo.
  • The Received headers suggest that the email actually originated from a server at morpace.com.
  • An email query to morpace.wellsfargo.com yielded a prompt, reasonably personal response.
  • There used to be a company named morpace.com that did the sort of marketing in the email I received.

It seems most likely the email is legitimate, though I never saw conclusive evidence.


*** This is a Security Bloggers Network syndicated blog from Cryptosmith authored by cryptosmith. Read the original post at: https://cryptosmith.com/2020/05/29/email-legitimacy/