TORPEDO - Add-on to support users in detecting phishing e-mails

Phishing is a method fraudsters use to defraud or harm you.They send you phishing e-mails, i.e. messages containing malicious links. Thus, in order to effectively detect phishing emails, it is necessary to carefully check the web address (also called URL) behind the link. TORPEDO (TOoltip-poweRed Phishing Email DetectiOn) helps to expose malicious links in phishing e-mails so that you can expose their attempts to deceive you. It exists as an add-on for Firefox as well as for the Thunderbird e-mail client.

Functionality

TORPEDO displays the relevant information for the check directly next to the link in a tooltip(-overlay), so that it is easier to perform the check with TORPEDO. In addition, TORPEDO distinguishes different risk levels of links and thus shows you when it is important to check the web address behind the link before clicking the link. The following risk levels are shown: 

Green: This dialog window indicates that the risk level of visiting the URL associated with the link is deemed low. This is because the domain belongs to a list of websites which the developers consider to be legitimate or it belongs to a user-defined list of websites. The user-defined list contains all websites that you have either visited twice or added manually.

Example 1: Here is an example of a dialog window where the risk level of visiting the URL is deemed low because the Domain is part of the developer’s list of websites:

Example 2: Here is an example of a dialog window where TORPEDO deems the risk of visiting the URL as low, because you have already visited it twice or manually added it to the user-defined list:

Grey: This dialog window indicates that the risk level of visiting the URL associated with the link is deemed unknown. In this case, you need to inspect and verify the domain of the URL by yourself to determine whether the URL is safe to open or if it is likely a phishing attack. To encourage a careful consideration of the domain of the URL, the link is temporarily disabled for 3 seconds (3s).

Example 1: Here is an example of a dialog window where TORPEDO did not find the example.com on the list of legitimate domains even though it’s a legitimate website because it is not one of the most visited websites.

Example 2: Here is an example of a dialog window where TORPEDO did not find the exampie.com (notice the visual resemblance of the letter i instead of l) on the list of legitimate domains, and therefore shows the unknown risk type of dialog window. In this case the website is a phishing one which tries to make you believe it goes to example.com which is not the case.

Grey with warning symbol: This dialog window indicates that the risk level of visiting the URL associated with the link is deemed unknown. The warning symbol is displayed since at least one indicator that is often used in phishing attacks was found. However, it does not necessarily mean that it is a phishing URL. Legitimate emails may contain these indicators as well. Here you need to check particularly carefully whether the link leads to a website that might perform a phishing attack or not. To encourage a careful consideration of the domain of the URL, the link is temporarily disabled for 3 seconds (3s) as well.

Example 1: Here is an example of a dialog window where the URL associated with the link does not match the displayed URL. In this case, it is a phishing link, as the dialog reveals that the page does not actually lead to karlsruhe.de.

Example 2: Here is an example of a dialog window where the URL associated with the link does not match the displayed URL, although the link is still legitimate. The link text contains a typo: 'Aachen' is spelled with two n. Such typos can occasionally occur in emails. However, since the underlying domain belongs to RWTH Aachen, this is not a phishing attempt.

Special cases: TORPEDO supports several special cases, such as short URLs and redirects. To ensure that these are configured according to your needs, we recommend that you take a look at the settings. Both the settings and this tutorial can be accessed at any time via the TORPEDO icon, typically located in the upper-right corner, as shown in this Thunderbird example.

Settings

In the settings there are 6 different tabs:

  • Timer lets you change the settings of the timer, e.g. you can increase or decrease the time or deactivate the timer completely. You can also activate and deactivate the different modes. If the privacy mode is activated, links are always opened via the resolved domain and not via the origin link. Also, short URLs are not resolved directly, but only after your confirmation. If Security Mode is enabled, you will see the gray case with a warning icon only after the second referrer. Otherwise, this already happens with the first one.
  • Domains lets you deactivate the list of most visited websites for the green case. You can also add your own cases to the Blue case list here.
  • Referrer lets you view the currently integrated referrers and add your own.
  • Short URL lets you view the currently integrated short URLs and add your own.
  • Tooltip lets you enable or disable individual sections of the dialog window. You can also configure whether to display only the domain or the full URL in the dialog window.

 

Download

  • Browser: You can download TORPEDO for Firefox here.
  • Thunderbird: You can download TORPEDO directly in Thunderbird.
  • If you are interested in the source codes of the add-ons, you can find them at GitHub.

Publications