Privacy Ref Blog

The terrible, horrible, no good, very bad phishing email

I recently received an email that I knew was a fishing email after five seconds of inspection.  It wasn’t anything flashy that gave it away, just a slew of telltale signs that it wasn’t an authentic message, but some malicious correspondence meant to take advantage of a less informed individual.  It can be broken down into a number of steps that show just how quickly you can identify a scam email.

Headers Up

Looking at the who, what, and why of the message makes things quick for us. Modern business people generally read a subject line and who a message is from in order to determine how important a message is.  I use MS Outlook as my email client, so here is what I see when I preview an email in my inbox.

Check the email address.  It says it is from a support address from what would supposedly be my e-mail service provider.  To the right of this is the actual address it came from.  .JP?  That is from Japan.  I know that we do not use a Japanese company for email needs, so that is red flag number one.  The fact that the two addresses are different also raises a red flag.  Why on earth would any company want to confuse customers?  They want to be clear and concise and make sure you know who is talking to you.  This discrepancy should be alarming to anyone.

Trying to spook me

The body of the message is where you might be tricked this is a real email.  First you have the big red banner, which is there to grab your attention.  “Email Security Alert!?!”  OH NO!  From the subject and address of this email already have me weary of it, but if you skipped that, you might be worried now.  The body then goes on to tell me that someone tried to access my email account.  The second paragraph delivers the true threat though.

 

“For your account security, we strongly recommend that you verify your account now, else your account will be blocked without further notice”

There is the call to action, verify the account or lose it.  A link is provided just below this text to help you.  Hovering, NOT CLICKING, the link reveals it goes to some other address with nothing to do with email or support.  This is most likely a page made to look like a service page, but it takes your info which is used to then steal your identity or financial information.  I never clicked because I do not want to find out what it is.

The final paragraph raises another red flag for me.

“After verification, extra security features will be activated in your email settings and your account will be strongly protected.”

Think of it this way.  If you click our suspicious link, we will then, and only then, make sure no one steals your account from you.  What kind of service provider will only protect your information AFTER it is threatened?  The fact that the email caps itself off with a note stating this is from the “Email Security Team” is the icing on the cake.  There is so much here to be suspicious of, but let’s recap the quick list of the big ones.

Who would fall for this?

The big take away here isn’t how to protect yourself from phishing attacks, it is how phishers get the less knowledgeable people.  The main vector of attack is not the chief privacy officer, someone in IT, or CISSP.  Phishers want to get the customer service person who has little technical knowledge, someone in accounting who just deals with numbers and the books, not security, or a lower level employee.  They go after the elderly or less technically savvy to get their financial information because they do not know they are being attacked.

Awareness of these sorts of attacks is key in combating them.  Privacy pros are not going to fall victim to phishing, but their family, friends, and colleagues may.  Don’t let them take the bait, teach them how to detect rotten, smelly, phish.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on June 7, 2017 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

September 19, 2018

Preparing your customer-facing staff
My wife and I went to a favorite pizza place the other day. It is a small chain that has a loyalty program. The server, having seen us on a few other occasions, asked us if we wanted to sign up. All we needed to do was provide an email address, phone number, and name then we would be good to go. My wife gave me "the look", knowing what was coming next. I asked the server "can you tell me about your privacy policy?" Continue reading this post...

August 27, 2018

What in the World??
With many of us so busily focused on compliance with the European Union’s General Data Protection Regulation (“GDPR”) - and probably soon to be focused on the new California Consumer Privacy Act - it is easy to neglect (albeit inadvertently) other areas of the world. If you are a company with international operations or are collecting the personal information of non-EU foreign residents, this could be a costly mistake. Continue reading this post...

Other Recent Posts

PRIVACY REF