MailGuard has intercepted a phishing email masquerading as an alert about a “progress claim”.
The email is sent from a compromised email account belonging to a COO working in an Australian-based company. The email invites recipients to view an “enclosed progress claim” and appears to be a forward of an automated alert. The alert informs recipients that two messages were sent to them on 11th January 2021. A link is provided to access these messages, with a warning that the files will be deleted after 24 hours “to protect your privacy”.
Here’s what the email looks like:
Unsuspecting recipients who click on the link to view the messages are led to a login page that asks them to verify their account. The page contains an altered version of the Microsoft Office logo. However, the domain used in the URL of the page doesn’t belong to Microsoft – a huge red flag pointing to the email's illegitimacy.
This is actually a phishing page hosted on a compromised website for a company in Nigeria. Once users insert their email address and password, the attacker harvests them for later use, and users are met with an error saying their credentials are invalid, as per below:
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
By claiming to share a new progress claim, this email scam aims to intrigue recipients, with the inclusion of a 24 hour deadline motivating them to click on the link to view it as soon as possible. The presence of safety disclaimers in the email (like “Message from safe source”) are also likely included in order to boost the legitimacy of the email.
Another technique employed by this email scam to trick users is the usage of Microsoft Office 365’s logo in the phishing pages. Cybercriminals frequently exploit the branding of global companies like Microsoft in their scams because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. Their established brand helps convince recipients that the files being shared via this email are secure.
In addition, scams that are initiated from compromised email accounts are particularly dangerous, for a number of reasons:
- The emails are sent from a legitimate account and company, so they are not likely to be blocked by email security services,
- The recipients are more receptive to the emails because they are from a legitimate service, and especially where the sender and company is known to them, and
- Because they may deliver a malicious payload, or simply direct users to external phishing pages to harvest credentials, as in this example.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that it contains several formatting errors.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.