I received an email message today stating that all users of a system I use for work must update their security questions on a bi-yearly basis and that my account would be locked out in twenty four hours if my security questions were not updated within that time. Within the message was the Uniform Resource Locator (URL) for the relevant website. The message seemed suspicous, since I would expect to have received prior notices before one informing me I had only 24 hours left to update the questions and also I've not encountered instances of such sites requring security questions to be updated on a periodic basis, though it is common to require passwords to be updated periodically.
When I hovered my mouse pointer over the link in the message, I found that the first part of the name in the fully qualified domain name (FQDN) looked like something I would expect in a site name for my employer, but the ending of the domain name was securefileshares.com, which would not be a site I would go to to modify security questions for a work-related system. On my laptop, I use Outlook 2016 as my email; to view the email header for a message in Outlook 2016, you can take these steps, but most email clients provide a mechanism to view a message's header, which will show the originating system and other email servers a message has passed through. Viewing the header information, I saw the following lines:
Received-SPF: Temperror (SPF Temporary Error: DNS 'NoneType' object has no attri bute 'header') identity=mailfrom; client-ip=220.127.116.11; helo=mail.nova.phishme. com; firstname.lastname@example.org; email@example.com <text snipped> Received: from mail.nova.phishme.com (mail.nova.phishme.com [18.104.22.168]) by <text snipped> MIME-Version: 1.0 X-Priority: 3 X-PhishMe: Phishing_Training X-PhishMeTracking: TjaVg7y+fe0Q/<text snipped>
The header lines showed it was a training exercise, since PhishMe is a company that helps organizations train their employees to avoid phishing attempts. But, if you have a question about whether a message you have received is legitimate or is a spoofed message that appears to come from a legitimate sender, such as your employer, bank, or some source you would trust, it is best to type in a link rather than click on one within an email, unless you observe the actual link very closely. It can also help to identify a message sent by someone spoofing a legitimate sender by examining message headers. It is trivially easy for a spammer, malware purveyor, or other malefactor to spoof a "From" address, so you should never assume that a "From" address is a reliable means of identifying a message's actual sender.