Due to ongoing IT security education and training over the last few years, our vigilance as a community has increased tremendously. This is, of course, a positive development. One side-effect, however, is that the very same vigilance and wariness so encouraged by that training can sometimes lead us to mistrust legitimate emails.
Phishing emails try (among other things) to trick us into clicking a link and visiting a malicious website and are . They represent a very real threat. However, sometimes we receive emails from legitimate sources (sometimes third parties contracted by the university) that urge us to click a legitimate link.
This document intends to convey a technique for determining the safety of a link included in an email without going into too much detail about the underlying technical principles (DNS hierarchy, website directory organization, etc.).
The Basics - Look For the Usual "Red Flags"
First, apply your own common sense, intuition, and previously received IT security training in evaluating the trustworthiness of the received email. If, after doing so, you still feel there's a strong chance the email is legitimate, there is one additional technique that can be used to analyze and verify the link you're being asked to click before actually doing so. . .
Only After Careful Examination - For Emails You Think Are Likely Legitimate
As an example, we'll be using an actual, legitimate email sent to me asking me to take part in the "UC Cyber Security Awareness Fundamentals" training (screenshot follows further below). Training emails such as these often illicit worry and concern because the return address on them (noreply@sumtotalsystems.com) is not from a UCSB organization or contractor that is readily recognized. So, the first impression given by this email may be that it is not legitimate. And, it should be pointed out that even emails with valid/legitimate return addresses can be malicious (the return address can be spoofed/faked and even non-functional. . .the malicious intent is not that you reply, but that you click a malicious link or open a malicious attachment).
...
2. Note that at the bottom of your screen/window, the actual destination encoded in the link will appear. (the way this is displayed on mobile devices varies, but it will likely pop up a question asking if you really want to go to the specified site. . . allowing you to opt out of doing so).
Evaluating a Link/Address in Detail
First. . . does the link in the body of the email match the actual destination shown at the bottom of the screen? Malicious actors will often encode a different actual destination than the one presented in the email body.
...
So. . . what makes "http://www.learningcenter.ucsb.edu/" safe according to the "rules" above? After all, it has "learningcenter" in it? And that could be anybody! The important factor here is that "learningcenter" appears between the https:// and the first / but is also to the left of ucsb.edu. Put another way, reading right-to-left from the first solo forward slash, "ucsb.edu" comes before "learningcenter." Thus, that means that "learningcenter" is under the control of "ucsb.edu." Thus, it is safe.
When in Doubt, We're Here to Help!
Though the above can be useful in determining the validity and legitimacy of a link/address found in an email (or elsewhere), we realize that to those not actually interested in the day-to-day functioning of IT, DNS, and, well, the internet. . . it may not always be that easily remembered. And, with cyber security always such a pressing concern, it is normal and natural to feel anxiety about clicking any link even when you're pretty sure it's safe. As always, even with all the above said, if you have any doubt about the legitimacy of an email, please always feel free to ask us about it at help@engineering.ucsb.edu.