Privacy Ref Blog

The terrible, horrible, no good, very bad phishing email

I recently received an email that I knew was a fishing email after five seconds of inspection.  It wasn’t anything flashy that gave it away, just a slew of telltale signs that it wasn’t an authentic message, but some malicious correspondence meant to take advantage of a less informed individual.  It can be broken down into a number of steps that show just how quickly you can identify a scam email.

Headers Up

Looking at the who, what, and why of the message makes things quick for us. Modern business people generally read a subject line and who a message is from in order to determine how important a message is.  I use MS Outlook as my email client, so here is what I see when I preview an email in my inbox.

Check the email address.  It says it is from a support address from what would supposedly be my e-mail service provider.  To the right of this is the actual address it came from.  .JP?  That is from Japan.  I know that we do not use a Japanese company for email needs, so that is red flag number one.  The fact that the two addresses are different also raises a red flag.  Why on earth would any company want to confuse customers?  They want to be clear and concise and make sure you know who is talking to you.  This discrepancy should be alarming to anyone.

Trying to spook me

The body of the message is where you might be tricked this is a real email.  First you have the big red banner, which is there to grab your attention.  “Email Security Alert!?!”  OH NO!  From the subject and address of this email already have me weary of it, but if you skipped that, you might be worried now.  The body then goes on to tell me that someone tried to access my email account.  The second paragraph delivers the true threat though.


“For your account security, we strongly recommend that you verify your account now, else your account will be blocked without further notice”

There is the call to action, verify the account or lose it.  A link is provided just below this text to help you.  Hovering, NOT CLICKING, the link reveals it goes to some other address with nothing to do with email or support.  This is most likely a page made to look like a service page, but it takes your info which is used to then steal your identity or financial information.  I never clicked because I do not want to find out what it is.

The final paragraph raises another red flag for me.

“After verification, extra security features will be activated in your email settings and your account will be strongly protected.”

Think of it this way.  If you click our suspicious link, we will then, and only then, make sure no one steals your account from you.  What kind of service provider will only protect your information AFTER it is threatened?  The fact that the email caps itself off with a note stating this is from the “Email Security Team” is the icing on the cake.  There is so much here to be suspicious of, but let’s recap the quick list of the big ones.

Who would fall for this?

The big take away here isn’t how to protect yourself from phishing attacks, it is how phishers get the less knowledgeable people.  The main vector of attack is not the chief privacy officer, someone in IT, or CISSP.  Phishers want to get the customer service person who has little technical knowledge, someone in accounting who just deals with numbers and the books, not security, or a lower level employee.  They go after the elderly or less technically savvy to get their financial information because they do not know they are being attacked.

Awareness of these sorts of attacks is key in combating them.  Privacy pros are not going to fall victim to phishing, but their family, friends, and colleagues may.  Don’t let them take the bait, teach them how to detect rotten, smelly, phish.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on June 7, 2017 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

November 12, 2018

My path towards privacy
My path towards a career in the privacy field was a circuitous route. As a perennially engaged Political Organizer and activist, information privacy and data management would not have been the most obvious path for my next endeavor. However, after serving on a campaign that featured the most famous political data breach in history, privacy and the importance of data management came crashing into my life. Continue reading this post...

November 2, 2018

A few weeks ago, I made it to Austin, TX for the Privacy Security and Risk Conference being held by the IAPP. As always, it was a great conference with pros and those who have only just begun as privacy professionals. One of the most interesting aspects of the conference was the focus on the newest US based privacy regulation, the California Consumer Protection Act. While not being in California, it was obviously the center of the conversation as many eyed this upcoming regulation as the next possible GDPR. Continue reading this post...

Other Recent Posts