As technology evolves, so does the craftiness of bad actors online. These villains are always developing new ways to trick people into giving away their information, finances, sense of security, and more.
That's where we, the CTD Help Desk, come in. We're here to help restore your sense of security by giving you the information you need to arm yourself against their attacks. And, of course, we're always here to help you assess whether something is spam, a phishing attempt, or a legitimate email.
Note: CTD will never request your password, although we may ask your permission to reset it in certain circumstances to assist in troubleshooting. Due to a steep rise in phishing attempts, please be vigilant when opening any emails, links, or attachments requesting your credentials.
Let's start by going over the differences.
- A spam email is when someone sends out bulk email to a list of recipients that didn't opt into that list.
- Marketing emails are often marked as spam even though they are actually legitimate emails (if you want to unsubscribe, it's best to click the Unsubscribe link at the bottom of the email - companies are required to include an Unsubscribe link).
- A phishing email is when someone is trying to steal your information. Some common scenarios include: asking you to click a link, asking you to open a file, pretending to be someone else and asking you to send money, etc.
Unfortunately there isn't a way to prevent email spoofing - it's part of the basic flaw in the email protocol that was drawn up in the 1970s when the internet was "a nice place" and everyone knew each other. It's why spam is such a problem in the first place.
The only way to deal with sophisticated attacks is to remain vigilant and, of course, to have proper financial controls in place to ensure fake requests aren't processed simply based on an apparently valid email that a staff member mistakes as genuine. Having proper controls in place is critical to ensure that one staff member's mistake cannot actually result in large sums of money exiting the organization.
What to look out for
Now let's go through some common examples so you can familiarize yourself with what to look out for.
This one is an easy one. The email address is just a series of numbers with an equally suspicious looking domain name. It has no subject, no body content, and simply contains a suspicious file attachment. Report and delete it!
In this example, we've blocked out some of the staff names, emails, and organization names, but the bad actor did use legitimate CEO names and organization titles, making it harder to detect. However, there are some easy flags to spot.
- An easy flag is when the sender's email address doesn't match the expected one. If you see an email from Jane Doe, the CEO, but her email displays as <email@example.com>, it's probably not actually from Jane. In this example, we can see that the actual email address does not match the legitimate email address of this staff person. If it did match, but still sounds suspicious, we recommend contacting that staff person directly via phone call to verify if the email was legitimate or not.
- You can also see the banner we've put in place to warn users when the display name matches that of a real staff member, but the email address is different and originates from outside our systems. (As a side note, sometimes bad actors will put in fake flags that look very similar to ours. They do this to throw you off and make it seem legitimate, but stay vigilant!)
The rest of the email could easily be legitimate save for those red flags. If you did happen to respond, likely this bad actor would text you asking you to purchase several gift cards or wire money to some nefarious bank account.
This one is particularly tricky. We've blocked out the name, email address, and signature because they're actually legitimate ones from another organization. However, in this case there are a few flags to pay attention to.
- This email is from someone the recipient had never interacted with.
- The subject line is pretty ambiguous and informal for an email relating to some kind of invoice.
- The attachment is a suspicious .eml file.
Likely in this case, a legitimate user of another organization had their account hacked and a bad actor is sending out these phishing emails from the legitimate user's account. However, if it was from someone the user was familiar with, we would recommend contacting that person directly via phone call to verify if it was a legitimate email or not.
This one is even more tricky because the bad actor has copied the template of a legitimate Microsoft password reset email. At first glance, it looks like a legitimate email, but don't be fooled!
- If you perform an internet search for the email address of the sender, you won't find it on any of Microsoft's web pages because it is not an official email.
- If you hover over the link, you'll see that it's clearly not a Microsoft hyperlink and instead a suspicious website:
Report and delete it!
We see variations of this phishing attempt most frequently. Similar to the last example, bad actors will use similar templates to legitimate emails, but they are really all just wolves in sheep's clothing. Some of them are so well crafted that they'll include legitimate links to a third party company's Privacy Policies or Terms and Conditions pages, just to throw you off. Let's look at some of the flags for this email:
- A fax message email is suspect unless you're expecting one from a verified online fax provider (in which case, you should contact the provider directly to confirm if the email is legitimate or not).
- The sender appears to a phone or fax number, but the email address is suspect and unrecognized to the user. If it was a recognized email address, the user should contact that person directly (perhaps by known phone number) to confirm if the email is legitimate or not.
- The header image in the email is for SharePoint (which is a Microsoft product), but the email is signed by a different organization.
- When we hover over the "Print or Preview Fax" button, we see that it goes neither to SharePoint nor to the fake organization's website, but instead goes to an AirTable link. If you clicked on that link, likely it would take you to an AirTable page with yet another link to a suspicious website that would ask you to log in with your Microsoft account, thus submitting your credentials to the bad actor's collection of stolen account credentials.
This one is crafty in that you may see it and think, "Hey, I didn't order anything! My credit card number must have been stolen!" And then if you click on the links to contact Amazon, you'll be redirected to a malware site where these bad actors may actually pull your credit card or other personal information from your browser's stored data. But remember: stay vigilant!
- The sender address is suspect. Upon closer inspection, you'll see it is not a real Amazon email - it has a zero instead of an "o" and it ends with "group".
- If you copy and paste the links into virustotal.com, you'll see at least one malicious site flag.
- As an extra precaution, you could also check with your credit card company to see if any actual fraudulent charges were made (unlikely in this case, but it doesn't hurt to check).
This is another typical suspect. At first, it looks like a legitimate password expiration notice, but here are some more common red herrings:
- The sender is not even pretending to be from a Microsoft address.
- If you over over the "Keep My Password" link, you'll see that it doesn't go to a Microsoft web page.
- It's blurred out, but this bad actor also got the organization's name wrong.
This is one we've seen with greater frequency and it is confusing at a first glance. Typically this email will come in to you, but it will say that your message couldn't be delivered. You will then wonder, "What email did I send that got blocked and why was it blocked?"
To answer this two-part question, let's say Jin Doe is the recipient of the legitimate Microsoft bounce back email in the above example screenshot...
Part 1: Did I send this email?
In most cases, Jin didn't send the email. Instead, a bad actor spoofing Jin's email address sent out the email. And, for whatever reason, these bad actors always send the email to the email they spoofed.
If that doesn't make sense, try this metaphor for size:
Let's say a bad actor sends out a ton of mass junk mail via USPS... but the return address is your address. For some reason, the bad actor also sends you the junk mail, so you receive junk mail that A) says it's from you and B) is addressed to you. And then you get a warning notice from USPS saying that you should not send mass junk mail out (even though you didn't send anything out!).
In the above example screenshot:
- The "To:" line indicates the email was addressed to Jin Doe.
- We can see from the subject line that the email in question is a fake voicemail message notification: "Voicemail Transcription Message [...]"
- The body of the legitimate Microsoft bounce notification (yes! It's legitimate!) indicates that "Your message to [Jin Doe] couldn't be delivered." Jin's message to Jin couldn't be delivered? 🤔 Sounds suspect.
Part 2: Why did I receive an email blocked notification?
The automated notification from Microsoft is legitimate. What happens is that the bad actor's spoofed emails include .HTM or .HTML file attachments (maliciously posing as voicemail audio files).
We've seen a huge uptick in aggressive phishing emails, almost all of which rely on HTML attachments. As a security measure, we block mail with those attachment types. And since the bad actor sent the email as you to you, Microsoft thinks you sent the email and they're just letting you know the email was blocked, as per our security measures.
This phishing attempt is extremely well-crafted. It came from a spoofed/masked email address that made it look like it was from the user's organization. The links at the bottom footer of the email go to Microsoft's actual Privacy Statement and Acceptable Use Policy, and there are no other links to hover over to see if they're suspicious. But beware! Do not scan the QR code! Let's take a closer look:
- The real From: address is suspicious and doesn't actually display a real email address.
- You can see there is Reply Line information at the top of the email that lists the From: address as a legitimate Microsoft email. However, this email is not a reply to another email, nor is it a forwarded email... so why would it have Reply Line information at the top other than to try to trick us into a false sense of security?
- Using some additional sleuthing tools in a safe test environment, we were able to "scan" the QR code to see what URL it redirects to without actually visiting the URL itself. We can see that it goes to a very suspicious link that is definitely not a genuine Microsoft link:
If you feel confident determining whether an email is legitimate or not, feel free to do the following:
- For spam emails:
- If it seems like a legitimate marketing email and the Unsubscribe link looks normal, click to Unsubscribe yourself from the list (sometimes you may need to reply with "UNSUBSCRIBE" in the subject and/or body of the email).
- If it is an illegitimate spam email, mark it as Junk.
- For phishing emails: Report it, then delete it.
However, if you have any slight doubts, please absolutely contact the Help Desk. It's better to be safe than sorry. And if you did happen to succumb to a bad actor's tricks (we've all had those moments - it happens to the best of us), please call us immediately so we can work with you to protect your account.