Privacy Ref Blog

The terrible, horrible, no good, very bad phishing email

I recently received an email that I knew was a fishing email after five seconds of inspection.  It wasn’t anything flashy that gave it away, just a slew of telltale signs that it wasn’t an authentic message, but some malicious correspondence meant to take advantage of a less informed individual.  It can be broken down into a number of steps that show just how quickly you can identify a scam email.

Headers Up

Looking at the who, what, and why of the message makes things quick for us. Modern business people generally read a subject line and who a message is from in order to determine how important a message is.  I use MS Outlook as my email client, so here is what I see when I preview an email in my inbox.

Check the email address.  It says it is from a support address from what would supposedly be my e-mail service provider.  To the right of this is the actual address it came from.  .JP?  That is from Japan.  I know that we do not use a Japanese company for email needs, so that is red flag number one.  The fact that the two addresses are different also raises a red flag.  Why on earth would any company want to confuse customers?  They want to be clear and concise and make sure you know who is talking to you.  This discrepancy should be alarming to anyone.

Trying to spook me

The body of the message is where you might be tricked this is a real email.  First you have the big red banner, which is there to grab your attention.  “Email Security Alert!?!”  OH NO!  From the subject and address of this email already have me weary of it, but if you skipped that, you might be worried now.  The body then goes on to tell me that someone tried to access my email account.  The second paragraph delivers the true threat though.


“For your account security, we strongly recommend that you verify your account now, else your account will be blocked without further notice”

There is the call to action, verify the account or lose it.  A link is provided just below this text to help you.  Hovering, NOT CLICKING, the link reveals it goes to some other address with nothing to do with email or support.  This is most likely a page made to look like a service page, but it takes your info which is used to then steal your identity or financial information.  I never clicked because I do not want to find out what it is.

The final paragraph raises another red flag for me.

“After verification, extra security features will be activated in your email settings and your account will be strongly protected.”

Think of it this way.  If you click our suspicious link, we will then, and only then, make sure no one steals your account from you.  What kind of service provider will only protect your information AFTER it is threatened?  The fact that the email caps itself off with a note stating this is from the “Email Security Team” is the icing on the cake.  There is so much here to be suspicious of, but let’s recap the quick list of the big ones.

Who would fall for this?

The big take away here isn’t how to protect yourself from phishing attacks, it is how phishers get the less knowledgeable people.  The main vector of attack is not the chief privacy officer, someone in IT, or CISSP.  Phishers want to get the customer service person who has little technical knowledge, someone in accounting who just deals with numbers and the books, not security, or a lower level employee.  They go after the elderly or less technically savvy to get their financial information because they do not know they are being attacked.

Awareness of these sorts of attacks is key in combating them.  Privacy pros are not going to fall victim to phishing, but their family, friends, and colleagues may.  Don’t let them take the bait, teach them how to detect rotten, smelly, phish.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on June 7, 2017 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

October 30, 2017

PSR 2017 in Review
After a long trip from the northeast to San Diego, I finally made it to another exciting Privacy, Security, and Risk Conference from the IAPP. With GDPR on the horizon, the air was thick with discussion of this regulation in effect in May of next year. Even more so, a lot of questions received at the Privacy Ref booth were focused on this law, or preparing a privacy program through assessments data mapping. Overall, a great show with a few major themes. Continue reading this post...

The key to effective privacy training
I spend a lot of time facilitating privacy training. Whether it is directly for our clients or on behalf of the IAPP or their training partners, there are common elements to a successful educational event. Continue reading this post...

Other Recent Posts