Pretty Good Phishing Email Sample - Stay Alert

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

rfrazier

Well-known member
Sep 30, 2020
231
77
Hi All,

Hope you are all well the day after Data Privacy Day, which was Jan 28, 2021.

I have a contact at a big company. They received this phishing email and I thought I'd share a sanitized version with you all. I looked at it and I said, this is pretty good. Fortunately, between the periodic training my contact gets plus me talking about these issues, their screens were up, and they didn't fall for it. They reported it to their security office.

I think we that are security aware tend to get cocky. Well, don't. Read this and honestly think whether you'd be tempted, even for a second, to click it. Even if not, think about someone you know who's more average and ask if they'd be tempted to click it. The email was addressed to my contact BY NAME. The blacked out part had some numbers that may have been unique. The perpetrators obviously had their address. And it got through the firewall. I googled the domain name of the link and it's been floating around the ether. This may have been a test. But, don't fixate on that. Just imagine what you'd think if you or someone you care about read it. Later I may post an annotated version with the red flags highlighted. It's never a bad thing to remember what the enemies are up to. I found some sample phishing emails here:


There are many such pages on the net. DON'T click on any links in any sample messages. On the one I just cited, there is a sample smishing (SMS) text message attack which also might entice people to click.

If you didn't ask for it, as @Steve says, be suspicious. If it threatens you or scares you, be VERY suspicious.

Hope this is helpful. Y'all stay safe out there. See image below.

May your bits be stable and your interfaces be fast. :cool: Ron

Ron

GOOD Phishing Email 2021.01.29.png
 
  • Sad
Reactions: danlock

DanR

Dan
Sep 17, 2020
139
37
Well said, Ron!

Being as security aware as I am, I would never be tempted to click on a link like that. I would, however, be "tempted" to Google the domain part of the URL, which I did. Whoa, Nellie! The Google results make it glaringly obvious that the URL link is bogus! And, yes, there are other red flags in the email too.
 
  • Like
Reactions: rfrazier

miquelfire

I like red!
Sep 26, 2020
42
4
www.miquelfire.red
What's funny is that at my job, they sent out a security training email that just threw up all the red flags. Because of changes thanks to covid (I might have the timing wrong), all emails sent from outside has an external tag applied. So this email had that tag, and an internal from address, and it was a domain I don't think anyone of us knew about.

Ironically, it was an email about training us for this type of stuff...

I have seen cases where someone report a phishing e-mail causes that email to just disappear from everyone's mailbox, so at some point while I was reading Teams to see if I just missed a message that this might be legit, the message had just disappeared from my inbox, meaning someone reported it as phishing, and the people on the other side of the email we forward phishing stuff to thought it might be phishing as well hit whatever magical button they have to mass delete the email that was sent.
 

EdwinG

Active member
Sep 24, 2020
44
13
I have seen cases where someone report a phishing e-mail causes that email to just disappear from everyone's mailbox, so at some point while I was reading Teams to see if I just missed a message that this might be legit, the message had just disappeared from my inbox, meaning someone reported it as phishing, and the people on the other side of the email we forward phishing stuff to thought it might be phishing as well hit whatever magical button they have to mass delete the email that was sent.
In some cases, the security team didn’t even click that big blue Phishing button. Some providers use indicators from their customers mailboxes to remove the messages automatically, if there are enough reports.
As a mail service administrator for a company, among the other hats I wear, we have some control on this behaviour and we can get notifications when such situations occur. But in many occasions, the message is pulled before we have time to take action. Of course, in most cases, this is reversible.
 
Last edited:

rfrazier

Well-known member
Sep 30, 2020
231
77
I guess the perpetrators of this email follow the less is more philosophy, so there's not a lot to go on. But, I thought I'd mention the red flags I saw.

1) I didn't post the header, but there was no mention of the company name or any logo. Just donotreply at the same domain name.
2) My contact did not "previously receive notice"
3) My contact did not connect to an unsecured wireless network - the pc is always in the same spot. But, other users might connect when on the road, for example. And, the computer is wired, but I don't know if my contact would think of that.
4) "Access" should have "ed" on it.
5) The link does not point to a company domain name. With all the outsourcing of IT, this is less likely to catch people's attention.
6) It wants your details, quickly.
7) There is an implied threat.
8) There is no company contact info.
9) There's no long company signature with lots of job titles.

None of these are slam dunks. But, if you're watching, there's good reason to pause before clicking.

May your bits be stable and your interfaces be fast. :cool: Ron

Ron
 

miquelfire

I like red!
Sep 26, 2020
42
4
www.miquelfire.red
Okay, let's see which of those red flags applies to my Phish training emails (remember, in this case, the IT staff were the people who got the emails at the time):

1) I never got a chance to look at the headers
2) Same
3) I remote in to my work computer (some tools for my job are only there), so I'm not sure if this matter
4) Don't think there were any misspellings
5) Either the page linked had a sign-in button that redirected to our SSO page, or the link would redirect to our SSO. So yes, at least there was something valid about the link, but nature of the email, you wouldn't think about clicking the link in the first place.
6-7) I think it only said it was required, but nothing more than that
8-9) Same, though in this case with the signature, if the email was generated internally, it would be a bit short with one line telling us our last four digits of our employee code
 

Harry

Member
Oct 13, 2020
15
6
That's a phishing test from PhishMe (Cofense). I use them to send test phishing campaigns and I recognize the domain. I just signed into the PhishMe console and found the message. Hopefully your friend hit the reporter button. ;)

That message has a 3-6% susceptibility rate. It's good for catching cocky IT people. They have a similar one about "firewall" activity that's also really good for catching IT people.
 

rfrazier

Well-known member
Sep 30, 2020
231
77
Hopefully your friend hit the reporter button.
@Harry They were working remotely at the time. They were already suspicious of the message. I got permission to get that image I posted to help others and advised them to report it, which they did. They later received a notice that it was a test and thanks for the report. They told me that these things are annoying. I said, yes, but having a data breach and spending $ Millions is annoying to. Also, the only way to know if the people pass the test is to test them.

What's the old technician's diagnostic acronym?

PEBKAC - Problem Exists Between Keyboard And Chair

May your bits be stable and your interfaces be fast. :cool: Ron