***Latest Update to the Hall of Shame – 8th February 2019***
At Lineal our IT team review a lot of dodgy emails. The criminal scam known as phishing (sending fraudulent emails to trick end users into divulging sensitive information or downloading dangerous files) is a widespread threat, and we’re constantly on the lookout for dangerous new scams appearing on the internet.
It’s estimated that around 90% of organisational security threats are caused by a mistaken click in an email, making it by far the most common way businesses are breached by ransomware, viruses or individuals with malicious intent.
There are ways to mitigate this – a strong antivirus software can assist by intercepting your mistake once you’ve misclicked, and backups are a vital insurance. Moving your email to a highly monitored service in the cloud (like Microsoft’s Office 365) helps narrow the odds dramatically: putting all your incoming email through a range of filters and cutting the amount of phishing spam your staff have a risk of clicking on, from the outset.
However, some human intuition and alertness is always required. With this in mind, we take a look at some examples of the most devious phishing scams we’ve ever seen:
The ‘Delivery Note’
Phishing emails are from fake ‘banks’ or enterprising Nigerian oil ministers, right? Wrong. This fairly innocuous email is the digital form of one of those ‘sorry we missed you’ cards you might receive through the letterbox for undelivered packages.
If you didn’t notice the suspicious sending address, accurate branding could lead you to believe this was really from a major logistics company, and divulge various personal details before realising there isn’t really a package to collect.
The Card-Payment Conundrum
Oh dear! My recurring card-payment for my TV license has expired – time to key my new card details into a dodgy website.
The growth of recurring payment systems for everyday things (like TV licensing) has meant users are familiar with being prompted to update card details, but stay alert: just because the request is mundane doesn’t mean it’s innocent. This is a nasty phishing email which scammed viewers out of thousands of pounds – even hitting national headlines.
The ‘File Share’
A proliferation of easy file-sharing platforms mean that we’re all more familiar with receiving large files via sharing links.
Curiosity about what this file is, and why your contact is emailing it to you (via a pretend ‘Dropbox’ email) might cause you actually to hand over your email address details. This trick is very simple, and persuasive – only the vaguely mail-merged ‘Hi info’ should suggest this is not really something you want in your inbox.
The (Convincing) ‘Fake Bank’
Forget semi-literate Russian hackers and the like, the quality of this fake Natwest email is in a different class. Spelling corrections, clumsy phrasing or dodgy branding can often give away an email scam, but criminals are becoming increasingly sophisticated at imitation. Anyone who falls for this email would be handing over their online banking login details.
Imitation is the sincerest form of flattery, and for the unwary email user, likely to be the most expensive.
The Government Request
Uh Oh. An official demand from Companies House. Better respond quickly. Bad luck – you’ve been scammed.
Don’t let the impeccable branding or the dull subject matter catch you out: look at the email address and the link. .ink is not a normal public-sector domain, so that should ring alarm bells.
The Domain Scam
Much like the delivery note scam above, this clever phishing scam we recently witnessed is based on the user not realising there’s anything sensitive about their domain details.
Hovering your mouse over the buttons reveal URLs that are not from this organisation, and should not be trusted.
The ‘Email Recovery’
This crafty scam invites you to ‘Recover (email) Messages’ that your email service held back due to a sync error – which should be your first clue that this is suspicious. Genuine email filtering tools (such as the excellent Barracuda) are very transparent about exactly what has been quarantined, or (as with Microsoft Office 365) expects an admin user to review the email separately.
Suffice to say you should NOT click ‘Recover Messages’.
The Fake Order
A sales enquiry from a University for a high value item – how promising! Except no, ‘Daniel’ isn’t a Procurement Manager, and if dispatched on credit terms, you’ll never see this item again. Worst of all, when you invoice the real University of Nottingham, they’ll think you’re an email scammer trying their luck. How ironic.
As before, the email address should give this away: real universities use valid .ac.uk (academic) domains, not free gmail accounts with a ‘.ac’ dumped somewhere in the address by a criminal.
For IT Security expertise and support – contact Lineal today.