Anatomy of a Spear Phishing Email

John Knights —  October 4, 2013

A couple weeks ago, some of our Wentworth community members received what is called a phishing email. More specifically, it would be considered a spear phishing email, as the email appeared to be coming from a legitimate group on campus, our own Help Desk, addressed to our community.

Although this email was one of the more sophisticated examples we’ve seen, it still contained a few essential items that should raise your suspicion. So what did the message look like? Well, it looked similar to most service update emails.


Unlike most phishing emails, it was free of spelling errors and grammatically correct, or at least good enough. The message itself was close to what we would send from DTS and the links appeared correct. They appeared correct, but a closer look revealed some hidden truths.

The “From:” field contained an address that looked right, except if you look closer, you can see that there is an underscore after “helpdesk.”



Another, more hidden item was the webpage that the “Access E-Mail” link actual links to. (TIP: hover your mouse over a link to see where it will actually take you!)


The latter half of the link, “” is actual a page within the website hosted at mail-wit [dot] ga522 [dot] net, rather than the actual website in the visible link on the email.

If you had clicked on the link, it took you to a page that was an exact replica of our webmail log-in page. Except, instead of logging you into our Exchange e-mail service, it just captured your credentials and sent them to the attacker.


When we find or are alerted of these messages, we do our best to inform the affected users and block the site, which is what we did. (TIP: To report phishing emails, please email them to


So how can you catch these in the future?

1.  Familiarize yourself with what official emails look like.

This first example is a Wentworth Announcement that departments send out to communicate announcements, events, and general information the targeted audience should know. Below is an example.


The “From” is going to be the department sending the message and the “To” will always be “Wentworth Announcements.” In addition, we brand all messages from the departments sending out the announcement.

There are times that DTS will send messages from within a system to inform individuals about items that require their attention. Below is an example password expiration notice.


Notice that “DTS Help Desk” is indicated as the sender in the “From” field, which properly resolves to the actual Help Desk email address of “” In addition, for these individually targeted emails, DTS will include your Wentworth ID number (redacted here for security reasons). Make sure you verify that before going any further with these very important emails. Again, the message is branded as a “Division of Technology Services” email.

2.  Read more about phishing on our Information Security webpage at

This page has more examples and resources to better equip yourself with the knowledge to make sure you don’t get caught the next time someone goes phishing!

John Knights


Trackbacks and Pingbacks:

  1. Phishing Used to Compromise Accounts | Information Security - December 9, 2013

    […] Anatomy of a Spear Fishing Email (blog post from DTS – Information Security Office) […]

  2. Understanding the Importance of Identify Theft | Information Security - January 31, 2014

    […] as unprepared and unsuspecting as the main character.  Always be wary of random phone calls or emails demanding information without any sign that they belong to an institution you trust, such as a bank or hospital.   […]

  3. Protecting Yourself on Social Networks | Information Security - February 24, 2014

    […] away from the site you’re on, or pages that seem too good to be true. To learn more ways to spot a phishing email read our blog about it. The best thing to do is not click if you aren’t confident about the link. Send any […]