Privacy Ref Blog

The terrible, horrible, no good, very bad phishing email

I recently received an email that I knew was a fishing email after five seconds of inspection.  It wasn’t anything flashy that gave it away, just a slew of telltale signs that it wasn’t an authentic message, but some malicious correspondence meant to take advantage of a less informed individual.  It can be broken down into a number of steps that show just how quickly you can identify a scam email.

Headers Up

Looking at the who, what, and why of the message makes things quick for us. Modern business people generally read a subject line and who a message is from in order to determine how important a message is.  I use MS Outlook as my email client, so here is what I see when I preview an email in my inbox.

Check the email address.  It says it is from a support address from what would supposedly be my e-mail service provider.  To the right of this is the actual address it came from.  .JP?  That is from Japan.  I know that we do not use a Japanese company for email needs, so that is red flag number one.  The fact that the two addresses are different also raises a red flag.  Why on earth would any company want to confuse customers?  They want to be clear and concise and make sure you know who is talking to you.  This discrepancy should be alarming to anyone.

Trying to spook me

The body of the message is where you might be tricked this is a real email.  First you have the big red banner, which is there to grab your attention.  “Email Security Alert!?!”  OH NO!  From the subject and address of this email already have me weary of it, but if you skipped that, you might be worried now.  The body then goes on to tell me that someone tried to access my email account.  The second paragraph delivers the true threat though.

 

“For your account security, we strongly recommend that you verify your account now, else your account will be blocked without further notice”

There is the call to action, verify the account or lose it.  A link is provided just below this text to help you.  Hovering, NOT CLICKING, the link reveals it goes to some other address with nothing to do with email or support.  This is most likely a page made to look like a service page, but it takes your info which is used to then steal your identity or financial information.  I never clicked because I do not want to find out what it is.

The final paragraph raises another red flag for me.

“After verification, extra security features will be activated in your email settings and your account will be strongly protected.”

Think of it this way.  If you click our suspicious link, we will then, and only then, make sure no one steals your account from you.  What kind of service provider will only protect your information AFTER it is threatened?  The fact that the email caps itself off with a note stating this is from the “Email Security Team” is the icing on the cake.  There is so much here to be suspicious of, but let’s recap the quick list of the big ones.

Who would fall for this?

The big take away here isn’t how to protect yourself from phishing attacks, it is how phishers get the less knowledgeable people.  The main vector of attack is not the chief privacy officer, someone in IT, or CISSP.  Phishers want to get the customer service person who has little technical knowledge, someone in accounting who just deals with numbers and the books, not security, or a lower level employee.  They go after the elderly or less technically savvy to get their financial information because they do not know they are being attacked.

Awareness of these sorts of attacks is key in combating them.  Privacy pros are not going to fall victim to phishing, but their family, friends, and colleagues may.  Don’t let them take the bait, teach them how to detect rotten, smelly, phish.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on June 7, 2017 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

September 18, 2017

Burying your head in the sand won’t make Data Protection requirements go away
Recently, I had dinner with  a colleague that I had not seen in several years. Their company, a multinational with global operations, had undergone several changes in that time. When the dust settled, this friend had been tapped as "privacy manager". Along with corporate counsel (part time for privacy), they decided that, even under GDPR, they did not need a Privacy / Data Protection Officer . Huh? Continue reading this post...

August 14, 2017

Privacy Ref and CyberDefenses Bring Privacy and Security Together
There is a saying that you can have security without privacy, but you cannot have privacy without security. While privacy and security are both concerned with the protection of information held by an organization, security provides the means to meet the business requirements identified to meet privacy demands from regulators, customers, employees, and other stakeholders. Privacy Ref works with our clients to improve their business and operational practices for protecting personal information. Increasingly our clients’ have been looking for services to supplement their security practices, tools, and expertise. CyberDefenses fills this role. Continue reading this post...

Other Recent Posts

PRIVACY REF