Phishing mail samples and inspection

Stephen Cow Chau
Feb 17 · 4 min read

Phishing email are usually easy to identify, most of them are not really carefully crafted, like followings:

Sample 1

The subject “IT-” with domain sender email “” simply don’t align, and with Hotmail, I am expecting beautiful HTML email with graphics and better layout (and capitalize “Hotmail”)

Sample 2

Similarly, how would Google (which Google Photos Hosting does not even imply it’s the famous Google company we know) send email from domain “”? And Google normally have specific subject and better footer design and disclaimer

A valid Google email footer I used to see:

Sample 3

This email is a common delivery phishing context email, the first thing is the To in email content is using my email alias (not my name), so they don’t know my name at all, which is weird. And also SF Express is a local company here in Hong Kong, and I am expecting a Chinese email instead, the email text is not commerical writing (too short and simple and too direct).

Again, the key is the email domain does not align with sf express.

See my other mail on (again, respect to which does reply promptly and took action on inspection for their service being abused, while the other service providers in the article does not even reply)

Short conclusion before a more complicated cases

Domain name of the email sender is very important information, when a email sender is from unknown domain or domain name that’s different from their company name (sometimes they are clever to register something very similar, like using a “1” to fake a “l” or using a “l” to fake an “I” (capital letter “i”).

For all email like that, it’s much easier to spot in PC than on mobile device which the screen is smaller and the app design might decide to hide some not so important information or make them look small.

Sample 4

This one look more “valid”, as the email content looks more “real” (the HTML email body, image, layout).

We can see several things that doesn’t align, still. First we have an attachments with 0 bytes, this is super suspicious. And the footer we have the company name “hongkongpost” (which is not capitalized and properly spaced , the real name is “Hongkong Post”). Last by not least, again it’s the domain.

Sample 5

This actually caught by the junk mail detector, but it took me some time to confirm.

First of all, the email look legitimate, the footer look very real. And the domain name is real, as well I did go check on the service provider, their customer service email is actually “”.

Then I would suspect if the email might fake their email “FROM” and does actually send from another email, so I go ahead to read the email source

Email header show some interesting lines:

First, the spf is not pass, and the lookup of failed on DNS Timeout, which before I dig deeper, I though it’s just because the DNS having issue at the time the mail being checked.

Then I take the IP address, that’s from Latvia, and viola, it must be a spam (if it’s from US, I would probably puzzle a bit more)

Side note

While I write this article, I realize a weird thing in email content, which is the “real-ish” footer, having a Simplified Chinese “click here” within the content of Traditional Chinese wordings:

Also, the font size does not really look right now (when I inspect carefully)


Even spam mail detector are doing pretty well, it’s still our own responsibility to be careful about those spam/phishing email.

Great reference

Nerd For Tech

From Confusion to Clarification

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store