Holy phishing batman
Note: this will be part of a longer series on identifying, preventing, and remedying issues related to phishing attempts.
I don't usually post about issues like this, but this is a huge problem and can definitely ruin people's lives, I think it's important to get more information on the topic out there.
So recently I tweeted about two very obscure phishing scams I was sent:
Recently I got two very good-looking phishing emails, annotated to help future potential victims identify them and prevent scams.
It was obvious to me that they were scams, based on all the tell-tale signs of the email I was immediately thrown to the fact that they were not legitimate emails from either of these organizations. (I happen to have accounts with both of them, which made identification slightly easier.)
We're in the year 2017, and if anyone tells you Email or computer systems are dying then they're absolutely wrong. We're entering an age where the internet is becoming a necessary requirement for anyone's life, and I want to talk about one of the biggest problems with email:
What is phishing?
When I went to college (and even before then) we studied a term called '
social engineering', that is, the idea that an attacker will not attempt to hack/crack/break into your system through technical means, but will convince you to do it for them. This is the broader category that
phishing fits into.
Phishing is the act of an attacker convincing a victim (usually a user) to deliver secured information to them in a means that makes the victim completely unaware that they just gave secure information away through the use of faked online forms/websites/emails. The most common (in my experience) is banking information.
With all this in mind, I want to try to help you prevent becoming a victim. There isn't a true "guide" for how you can stop yourself from becoming a victim, but there are steps you can take. I'm going to use actual phishing emails I was sent for this demonstration. Real emails you may receive and how you can identify them and prevent yourself from becoming a victim.
Do note: I'm not even going to talk about the technical aspects of these emails, this guide will be an end-user guide, for the people these emails are designed to victimize.
What does phishing look like?
To see what phishing looks like we're going to use two very real examples, which I've already annotated with some of the tell-tale signs of a phishing email (any one of these signs on it's own isn't necessarily an indicator, but all of them together add up quickly).
As you can see, I drew a lot of red. Let's talk about this section by section to explore how we can apply this more broadly.
The Wells Fargo email broke down
The first image is from 'Wells Fargo' (or someone that wants you to think they're Wells Fargo). We can see an issue with this right off the bat: the 'From' address. I happen to be a Wells Fargo customer (funny: the email that this phishing scam was sent to is not my account email), and all the emails I get from them have a specific from address:
Wells Fargo Online <firstname.lastname@example.org>. So of course that was the first big red flag for me. However, let's assume you don't know that the usual alert email is
email@example.com, the address itself has one fatal flaw that should give you at least a yellow flag:
Generally a bank won't send you an email from
firstname.lastname@example.org, that's not their usual M.O., typically the email address is just
So let's assume that the sender address isn't the problem, that's fine. We'll move to the 'To' line. They sent this email
To: Recipients. If you are using Outlook you can expand the contact card and you'll find that the
Recipients email address is
email@example.com. So the attacker sent the email to themselves, and they must have blind-carbon-copied us on it. That immediately tells me it's a phishing attempt. Why would my bank send an email to itself and blind copy me in?
If that wasn't obvious enough, and for some reason you're still in the yellow zone, we have this attachment named
Wells Fargo Online Verification.htm.
For those of you that aren't technical users: an
htm document is synonymous for an
html document, which is basically a webpage. (It is a webpage, but it's not on the web at this point, it's on your PC.) This type of document can easily be processed by a web-browser on your computer (Internet Explorer, Mozilla Firefox, Apple Safari, Opera, Microsoft Edge, Google Chrome) and can do many very cool things, and also many very bad things.
The problem is most people aren't aware of what to do with these documents, so they're not used much for actions with the end-user. Generally you can just double-click the document and it will open in your browser of choice, whatever your default is.
Professional organizations don't usually send you these types of documents. Usually when this type of information needs to be sent you get one of two things: a link to a web-page or a PDF file. Why? Because msot people know what to do with both of those. They know to click a link, and they know to download/save/print a PDF.
The problem with HTML files is that they can contain malicious data. (There are more technical terms for it, but I'll save you the hassle.) They can install files on your PC, they can change settings (in some cases), and they can make you think you're going to a legitimate banking website.
We're not going to open it yet, we're going to mark it as a red flag and continue with the email.
The next thing we see that's a moderately yellow flag is the email body. There is a lot of text in this body that rubs me the wrong way.
We recently reviewed your account, and we are suspecting that your Wells Fargo account may have been accessed from an unauthorized computer.
This may be due to changes in your IP address or location. Protecting the security of your account and of the Wells Fargo network is our primary concern.
We are asking you to immediately login and report any unauthorized withdrawals, and check your account profile to make sure no changes have been made.
This alone isn't a bad phrase, but when it's combined with the next phrase it becomes more disturbing:
To protect your account please follow the instructions below:
- LOG OFF AFTER USING YOUR ONLINE ACCOUNT
If it were truly a security concern, the bank wouldn't just recommend logging off after you finish using your account. They would also recommend changing your credentials. If your account is being accessed by another PC/user then logging off will not fix it. (In almost all cases, this is true.) So, if the sender were truly concerned about your information, as a bank would be, the recommendation would be to change your password.
Please Download the Attachment file of your Wells Fargo Online Verification and Open on on a browser to complete your account verification process:
Verify the information you entered is correct.
We apologize for any inconvenience this may cause, and appreciate your support in helping us maintaining the integrity of the entire Wells Fargo System. Please verify your account as soon as possible.
Why would I need to download an attachment to login? If I simply need to login to my account, send me a URL/address.
Copyright © 1999 - 2016 Wells Fargo. All rights reserved..
No self-respecting bank would leave that double-period typo in an email. Bank emails go through a rigorous approval process, that typo alone isn't justification for a phishing attempt, but when added to the rest of the email, 'Mark as Spam'.
Breaking down the Capital One attempt
So we just broke the Wells Fargo attempt down, let's do the same for the Capital One phishing attempt.
I have an account with Capital One, and I have seen three distinct email addresses from them:
Capital One <firstname.lastname@example.org>,
Capital One <email@example.com>, and
Capital One <firstname.lastname@example.org>.
I've also seen a fourth one, but the address itself is slightly disconcerting:
Capital One <email@example.com>. That's a really bad email for a bank.
We do at least see a pattern: emails from them are generally
Capital One <firstname.lastname@example.org>, which is a mostly good thing. This means we can write off
Capital One <email@example.com> as a non-legitimate email.
Next we have the same problem as the Wells Fargo email:
Recipients and the
.htm attachment. We'll skip those since we talked about them above.
We get to the body, and we run into a few things that are fairly alarming:
It has come to our attention that your Billing Information records are recently changed.
That's grammatically wrong, 'records have recently changed' is better.
That requires you to verify your Billing Information. Failure to validate your billing information may result to account termination.
Capital One isn't going to terminate my auto-loan over this, they would call me and verify it first. Better: 'may result to'? Bad grammer again.
To verify your billing information, Please Download Attachment and open in a browser to Continue. We value your privacy and your preferences...
Why are 'Please Download Attachment' and 'Continue' all upper-case on the first letter (capital-case)? That's not normal. Just as well: 'value your privacy and your preferences'? What does that even mean? Then the three dots / elipsis? This is atrocious.
Failure to abide by these instructions may subject you to Capital One account restrictions or inactivity.
That's not what you said above.
TM and copyright © 2017 Capital One Inc. 1 Infinite Loop, MS 96-DM, Cupertino, CA 95015.
For those who don't know, that's Apple's address.
Overall, I hope this is helpful to increase your ability (and your friends, family, coworkers and loved one's abilities) to identify phishing scams that look legitimate, and prevent becoming a victim to the tactics that these attackers use to steal your information. In a future blog post I'll talk about why it's important to identify them, and how they steal your information.