Gone Phishing

I was reading this article, it got me thinking about how easy it is to catch a user off guard and get access to their accounts. A dot in an email address is a subtle difference but, in that case, it is the difference between a legitimate request and a phishing one. For some reason, Gmail will let you own all the dotted variations of your email address. So, if you are joebloggs@gmail.com, you can still receive emails on joe.bloggs and jo.ebloggs. There aren’t even any alerts to tell you that an email has been sent to a variant of your primary Gmail address.

Office 365, on the other hand, alerts their users when they spot any signs of a phishing email and prepends the email with something like this:

Or

The email was also moved to my Junk Email folder which is a big help.

But it got me thinking, if a user doesn’t know what to look out for, they’re more likely to get caught, no? So, here are my top tips on how to stop a phishing email from catching you out!

Here’s an email that’s claiming to be an invoice from 24-7 Industrial Services UK Ltd:

To the unsuspecting user, this looks like a legitimate email and comes from a domain containing the well-known accounting software, Xero.

Check the Email Address
If you have received legitimate emails from Xero before, check those and compare the sending address. The actual Xero address is: messaging-service@post.xero.com so bare that in mind.

Check any Hyperlinks
Before clicking on a link, hover your mouse over it to bring up the full URL

Ask yourself, would this company normally direct you to a different website? If not, then it’s likely to be spam.

Check for Attachments
If the email asks you download or open anything, then I would say that it’s likely to be a phishing email as well. Even PDFs can contain viruses. Even if the document doesn’t contain a virus, this will be because the scammers want to give you the impression that their document is real.

“I’ve seen phishing emails come from the actual email address of the sender”

In my time on the ClearTec Help desk, I have seen these catch users out and the aftereffects are frustrating. Here’s one that I saw previously:

In this situation, all looks great; the email address is right, it’s been received inCalibri which the legitimate signature for this company. The email says they are using DocuSign which is a fast-growing document signing service which fully integrates with Office 365. What’s more is that bit.ly is a proprietary link shortened so I wouldn’t expect the user to be suspicious.

Even clicking the “REVIEW DOCUMENT” link won’t cause the user any harm, but they will be presented with a log in screen and it’ll look exactly like the Office 365 sign in screen, just hosted on someone else’s server. The unsuspecting user will type their email address and password in and at that point, you have inadvertently handed over your account to hackers, without them doing anything malicious.

To stop an email like this in its tracks, there’s a little bit more detective work to do:

Grammar
Ask yourself, “would this person write about themselves in the third person?” or “Does this person normally use ‘Good day,’”

Recipients

Check who the email has been sent to. Has it gone to a random distribution group that doesn’t sit on your Exchange? Are there 0 recipients in the To field? These are tell-tale signs that it’s a phishing email as users would normally send you an email directly if they wanted to contact you?

The moral of the story? Be diligent. Look twice at the email and if there is any doubt after following the above, contact the “sender” directly.

If you need any advice or for further information, please contact our Cyber Security expert on Nick@cleartec-it.co.uk.