In an earlier post, we gave a broad overview of how to spot a phishing email.
But nothing illustrates a point better than a few examples, so we’ve dug into the Intersys spam folder and pulled out some genuinely dodgy emails.
They’ll give you an idea of the kinds of tactics criminals use and the people they target. Along the way, we also provide some commentary on why the email in question is a phishing scam. Finally, at the end of the article, there are a few best practice tips.
Reassuringly, many scams are so ham-fisted they may as well have a flashing subject line reading ‘I vant to steal your money… mwah-ha-ha’. But a few are authentic-looking enough to send a little chill down the spine.
Be vigilant. Be sceptical. If in any doubt, delete.
Here’s the emails.
Note, sensitive information has been obscured for security reasons.
1. The One From Your Helpdesk Reporting Suspicious Activity
This is crafty spear phishing (‘spear phishing’ being an approach highly targeted at one or a few individuals, rather than a mass phishing ‘trawl’). The fact it purports to be from the IT helpdesk could be enough to get a victim to drop their guard. Crucially, as you’ll see in so many of the examples below, its subject matter tries to provoke an emotional reaction. ‘Threat! Arggh!’
Why we know it’s phishing:
- The bright yellow ‘EXTERNAL’ is a sure sign this hasn’t come from the internal team. This wasn’t part of the original message, but pops up because of rules configured in our email system to flag that it’s from senders outside of the organisation (i.e. an External Sender Warning Message).
- Also, the misspelling, or at least Americanised spelling, of ‘behaviour’ would never happen in a boilerplate email alert. By the way, misspelling is going to be a big theme.
- Finally, our team would never be asked to open a Word document in an email like this – and bear in mind, clicking a link on a phishing email is like opening the door to a criminal and handing them a welcome drink on the way in.
2. The One From Accounts Saying You’ve Just Been Paid
This one ticks a lot of boxes in the scammer playbook. It tries to manipulate our emotions – ‘Yay, I’ve been paid – money!’ It also perfectly replicates the Intersys email address in the sender field. Never assume an apparently correct address is a sign of authenticity.
Why we know it’s phishing:
- Our old friend EXTERNAL pops up in an email purporting to be internal.
- Did you spot the Microsoft disclaimer regarding an unmonitored mailbox? Most internal emails will not contain this kind of message.
- The vagueness of the email gets our scammer sense tingling. Lack of recipient name, greeting, salutation or sender details suggests virtual balaclavas and monkey wrenches, and nefarious criminal activity.
3. The One Scamming The New Employee
There’s something particularly dastardly about trying to get a new employee to foul up on the first day or week. But it’s effective, because newbies are going to be finding their feet and may be a soft target.
Why we know it’s phishing:
- The recipient is being targeted at his private account. That’s not going to happen with a genuine work email. (Or it shouldn’t.)
- ‘We now need some details FOR you’ is a mistake. A particularly lame one too. But how long before AI is going to eliminate these kinds of schoolboy errors? Be vigilant.
4. The One That May Not Be A Phishing Scam But We Don’t Care, It Just Smells… Phishy
Occasionally, there are no definite, tangible elements that prove something is a phishing scam. It’s just a feeling. Believe us, trust that feeling. A lot of the time you are going to be right, and it is better to err on the side of caution. As Intersys MD Matthew Geyman says about this example, ‘It may not be phishing, but I don’t trust the sender enough to want to find out.’
Why we know it’s phishing.
- We don’t, but we have a feeling – and that’s good enough.
5. The One That’s A Phishing Voicemail
Don’t let a different format throw you. This email purports to contain a voicemail link (it almost certainly won’t link to a voicemail, by the way). In fact, phishing can be an email, text, phone call, or social media approach.
Why we know it’s phishing:
- This is meant to be an internal email from the Intersys Audio Desk. Only, the sender has a non-Intersys address. It’s got ‘Bin it!’ written all over it.
- The sender address contains the recipient’s first and second name with an email address that is definitely not from the Intersys audio desk. Another sign of fakery.
6. The One That’s An Invoice For Something You Didn’t Buy
Aieeeee! Nothing gets the heart pumping (and sadly the mind sometimes malfunctioning) like an invoice for something you didn’t buy. This one is another in the school of ‘trigger someone emotionally and take them to the cleaners’.
Stay calm. Read on.
Why we know it’s phishing:
- Where do we start? You don’t have to be in Dictionary Corner to see the grammar and punctuation is all over the place. In fact, the line ‘We have faith you enjoy your purchase’ almost makes us want to give our scammer a reassuring pat on the back and a year’s subscription to Grammarly. Almost.
- When it comes to phishing, a light proofread is your best friend.
- Note also, Matthew Geyman suggests these PDF attachments typically contain a hyperlink to malware, or further phishing. So… amusing, maybe, but 100% dangerous.
7. The One That’s A Dodgy Friend Request At An Office Email
No doubt everyone loves you and wants to be your friend, but are they (or their social media platform) going to seek you out at your office address?
That’s a negative.
No matter how warm, fuzzy or downright curious you feel, don’t respond.
Why we know it’s phishing:
- Friend requests to office emails just aren’t going to (or shouldn’t) happen.
- The ‘From’ subject line looks a bit Facebooky, but it also looks quite a lot made up.
8. The One That’s from David Bowie
Back in the day, most of us at one time or another suspected David Bowie would be contacting us imminently to play on his album/ swop style tips/ marry him.
But an email from a Major Tom is almost certainly a scammer at work. While we almost admire the mixture of phishing/mickey-taking/trolling in that name at the bottom, it’s time to take your protein pill and put your (phishing) helmet on.
On a serious note, emails purporting to be from Microsoft are common and often look bona fide at first glance but a closer inspection is a must.
Why we know it’s phishing:
- At a superficial reading, this email is just about plausible. Scan a little more closely and you’ll find it is littered with inconsistencies in upper / lower case; and contains unnecessary repetitions, odd punctuation usage and more. Rule of thumb: if an email from a mega-corporation like Microsoft isn’t impeccably written, it’s a scam.
- Any student of David Bowie knows that Major Tom either absconded into deep space (Space Oddity) or developed a terminal substance abuse problem (Ashes to Ashes). He almost certainly didn’t move into phishing scams.
- Also, the domain microsoft-federal.com seems implausible and the sender name (Emergency Updates) just a wee bit too desperate.
9. The One From Amazon Offering A Refund
‘Oh, goodie – refund. Let’s start clicking links.’
Or not, as the case may be. As old hat as these kind of scams are, they still catch people out.
Why we know it’s phishing:
- As the old saying goes, if something sounds too good to be true, it’s too good to be true. Be deeply suspicious of ANY email asking you to click a link for money.
- No greeting. Surely if Amazon wants to refund you, it knows your name? Greetings-free emails suggest a generic mass mailout, which suggests a phishing scam.
- Would Amazon really miss a fullstop after ‘business days? No, and that’s because this isn’t from Amazon. Be a pedant: it could save you £££.
- Lastly, that domain: amazon-refundz – Z. Really?
10. The One From Your Internal Team That Could Blow the Lid Off Your Organisation if You’re Not Careful
There’s lots to like about this email. If you’re a criminal. The sender address looks plausible. The email is relatively well written and free from errors. And imagine the devastation you could cause if a recipient clicks on that link.
Why we know it’s phishing:
- It’s almost embarrassing how often that bright yellow EXTERNAL saves the day. This is clearly not an internal email. If we could buy a word a drink, we’d get this one a double mojito with a little umbrella in it.
- There’s just a vagueness about the greeting and sign-off – ‘To All’, ‘Sincerely, IT Dept’ that has shadowy scammer written all over it.
- Any instruction from your own company to click a link in an email deserves to be checked with a phone call to the IT Department.
What to Do if You Suspect a Phishing Scam
First of all, we believe that every company should take a proactive approach to the phishing threat. This means ensuring you employ effective cyber security software, tools, procedures and, crucially, provide cyber and phishing awareness training to employees.
If you receive a suspected phishing email:
- Delete it immediately and be vigilant about similar emails in the future.
- Don’t forward the email to anyone – doing so increases the chances of the malware spreading.
- If you’ve already clicked on an attachment or link, please get in touch with your IT support team as soon as possible, so they can limit the damage and secure your systems again.
- If you know the person it purports to come from, pick up the phone, to see whether it really was them.
Remember: be vigilant, be sceptical and, if in doubt, DELETE.
Intersys can help train your staff with phishing awareness training.
Intersys is a specialist IT cyber security company offering everything from one-off remedial support to full security operations centre services. Need help? Talk to one of our security specialists about your requirements now.