This week’s Breaking Scam is about how confusing and difficult it is to tease apart what is/isn’t a scam email. The trouble with phishing emails is that they have become so ubiquitous and so well-disguised that it is getting harder to spot what is real and what is not.
However, paranoia can be a useful tool when dealing with the modern onslaught of phishing and cyber-scams. Better to be safe than sorry was a phrase of old that is applicable now more than ever. So, when an email popped into my inbox this week, which looked to all intents and purposes like a legitimate email from a site I probably had shopped at, I almost fell for it.
This week’s scam post is not just about receiving a phishing email, it is about what is bad practise when sending out a legitimate email.
This Week’s Scam Email and Why it Was Difficult to Detect as Phishing
I shop a lot online. Maybe you do too? If so, you’ll know that you have probably built up a lot of online accounts over the years. And you are not alone, a report by Dashlane found that the average person has around 150 online accounts.
The email I received this week, offered me a free product from a company I (apparently) subscribed to. So, I checked the usual details to see if it was a phishing email. That is:
- The sender address (does the domain look suspicious)
- Grammatical errors
- Personalised to me?
The sender’s address domain was DIYsurvivor.com. I often buy DIY products online, so this did not ring any bells as being odd. Also, the email had a clickable link to process the freebie – just send them my shipping address and the free torch will be mine. The link matched the domain. Again, this felt legitimate.
The only thing that rang bells was the fact that I am naturally paranoid about phishing. But not everyone has this level of paranoia and that is why phishing is so successful.
What the Scam Email Actually Contained
The offer of a free gift was enticing, but not enough for me to click a link without double-checking. And, I am glad I did. As you can see, the link went to a website that has been recorded as a “Very Risky” site by McAfee and placed under the category, “Malicious”.
Anti-Phishing Best Practises for Companies
The problem with phishing emails is that the elements of the email are often used by legitimate companies. For example, placing a link in an email. It is important that legitimate companies do not fall into the trap of creating emails that make phishing emails harder for users to spot. When your business creates emails that go out to customers try to avoid:
- Clickable links to websites – instead ask the customer to navigate to a section/login directly to your website
- Attachments – unless absolutely necessary
- Sending emails that are not personalised – this is key, as it shows a pre-existing relationship and builds trust. Personalisation is attempted by fraudsters, they rely heavily on it, but it can only be fully achieved by a fraudster by surveillance of a target
There are exceptions, of course, such as invoices. But when they are sent out, you would typically ensure that the content of the email was highly personalised to that transaction.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
The Free Gift Scam
Be cautious of emails that pretend to be from seemingly legitimate online sites that offer a free gift for shipping details. The email will contain a clickable link to a website to collect the information. The link may go to a malware-infected website and/or steal your personal data.
ALWAYS AVOID CLICKING LINKS IN EMAILS!
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”
Don’t forget to share this with your colleagues and friends and help them stay safe.
Let’s keeping breaking scams!
Subscribe to the Proofpoint Blog