Anatomy of a Phishing Email

by Aug 4, 2017Protips

One of our employees received a phishing email today that was so obviously bad, we decided to make an example of it.  We had recently written about the importance of email savvy for employees of any company, and how to be skeptical of emails you receive.  This example gave us the opportunity to annotate and explain the many ways to spot malicious emails and avoid stepping into those traps.

We’ll begin with the email as we received it.  Do you see any indications that the email might be illegitimate?

It may be interesting to forward this article to your coworkers and friends, and compare notes.  For example, how long did it take you to spot the first sign that the email may not be for real?  How many signs did you see?  Which one stood out first?

Here’s the same email with annotations – you can grade your own observations and degree of skepticism against this list:

  1. Dropbox was spelled with parenthesees (i.e. Dropb()x).  This is done to try to avoid any email content filters expecting to see these words spelled correctly.
  2. The sender’s name was created to look like it contained the email address information – that’s actually done by Outlook in this case – see #4.  It’s also nonsensical.  “noreply-banacealert”?
  3. They didn’t misspell the fake email domain the same way twice.  Once used parenthesees for the second “O”, the other for the first.
  4. The actual sender’s email address is shown by Outlook in the box.  It obviously has nothing to do with Dropbox.  Given that it does show a valid-looking email address, it’s safe to assume that the owner of that email address has been compromised.  Either they have malware on their computer, or their password is known.  On a company email account, this can result in your entire company being blacklisted.  This would mean no emails you send would be accepted by other companies using email SPAM filters.
  5. The subject doesn’t make a great deal of sense – a very generic statement.  Note #6 though…
  6. The name of the document in the body of the email doesn’t match what’s in the subject.
  7. The name “dropbox” isn’t even capitalized.  That shift key must have been pretty heavy.
  8. Hovering over the “CLICK HERE” link reveals the site they want you to visit.  It’s obviously not Dropbox.  It is however a website that’s been compromised by an attacker, who is using it for criminal purposes – probably without the website’s owner even knowing.  ALWAYS check the link before clicking!

So, how did you do?  Hopefully you’ll be better at spotting more carefully crafted phishing emails in the future.

What about your company – how confident are you that your web servers aren’t hosting fake sites like the ones linked in the email above?  How confident are you that your mail system, and your employee PCs, aren’t silently sending out these sorts of phishing emails?  Is your company’s email domain at risk of ending up on a blacklist?

At Nomerel, we provide peace of mind for business owners that their systems are secure and protected against these sorts of risks.  Contact us today to learn more!