MailGuard 29 July 2021 13:39:42 AEST 6 MIN READ

Double Whammy: The Latest Phishing Scam Uses your ‘IT Support’ team to Install Malware

The latest phishing alert sees scammers impersonate the IT department of the targeted organisation in an attempt to steal email credentials and install a malicious file onto the victim’s computer.  Attackers have interestingly used a fake email address from American multi-national and shipping services company FedEx as the trusted name to lure victims into providing their details.  

A notable characteristic of this attack is the scammer's ability to use the name of your company or organisation in order to facilitate the phishing attempt. By purporting to be the victims internal IT services, the email advises the receiver that they have been ‘deactivated’ from a service (actual service not specified) by not having updated their email address. The rectification for this is via downloading the attachment that will apparently assist in updating this information. The wording and instruction in this email, if not looked at closely, attempts to mislead the victim into thinking that their online capability may be deactivated if the instructions are not followed. An easy trap for those who cannot afford to not have access to their company’s internal tech systems (which is usually the whole organisation).  


This is what the email looks like:



Once the victim clicks on the HTML attachment given in the email, they are taken to the phishing page below that asks for their email address and password. Once again, the victim is made to believe that they are receiving assistance from their internal IT support team. In the example below, the scammers have inserted our domain address, ‘ Support’ to trick the user into entering their credentials.   

 Webmail __ Login — Mozilla Firefox_594

A concerning aspect of this phishing scam is that it poses two threats: (1) Phishing of credentials to be given to a third party for criminal use and (2) The risk of installing malware through downloading the attachment. By using the IT Support system of the organisation that the victim is associated with, the attacker instills an urgency in the victim to download the attachment and follow the instructions in the email so as to not be prevented from their daily work schedule.  

Notable discrepancies to look out for in this phishing scam include the following: 

  • The envelope email address: onlineservice(at)fedex(dot)com (this is a fake email address), which is not indicative of the email being sent from an IT Support team.  
  • ‘Verify This is You!’ in the phishing page.  
  • The Display Name is ‘IT’ plus the ‘recipient’s domain’  

MailGuard urges all recipients of this email to delete it immediately without downloading any attachments. Providing your personal details and downloading unfamiliar attachments can result in your sensitive information being used for criminal activity and embedding malware.

MailGuard urges users not to click links or open attachments within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from, and/or
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 


One email is all that it takes

All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's network.

Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates