MailGuard is now blocking a new email scam which is designed to look as though it’s an internal email regarding payroll but is designed to steal your email’s password.
The email lands in inboxes with the subject line “Your records on [company name] Management Portal is out-of-date”. The sender’s name again shows the recipient’s company name, followed by “Internal_Relations_Mgt.”, but the sender email address is “noreply(at)wuh-gruop(dot)com” which appears to be a misspelling of a legitimate domain.
The company name is mentioned in the sender name, subject and two times in the email content in an attempt to feign authenticity. The email itself begins with “Greetings sales”, as it was sent to a “sales@” account. It carries on to explain that the monthly pay-list is reviewed by the recipient’s company’s payroll department, and that they need to sign in to update and set their records. The recipient is directed to press a button which says, “SET-UP PAY-LIST”.
Here's an example of one of the emails MailGuard intercepted:
If the user clicks the button, they’re taken to an intermediary page that uses a reCAPTCHA check to verify that the visitor is human.
After verifying they are not a robot, the user is taken to a phishing site which is designed to replicate the Outlook sign in page. Although care has been taken to make the page look authentic, including auto filling the recipient’s email address in the ‘User name’ field, you will notice the URL shows a jumble of letters and numbers, and is not related to Outlook, or any discernible business. The phishing page is hosted on an IPFS service, which appears to be a growing trend amongst scammers.
The user is asked to enter their password to ‘sign in’, which is then harvested by the cybercriminal for later use. Regardless of whether it was correct the first time, an error will appear and they will be required to enter their password again.
After submitting their password twice, the victim is taken to an error page which explains something went wrong while trying to access their mailbox. This page then redirects to a legitimate troubleshooting documentation page for Microsoft Exchange, once again helping to make the rouse feel more genuine.
If you have this email, or something similar land in your inbox which you’re unsure about, get in touch with your payroll department directly, do not click ‘reply’ on the email. Providing your personal details can result in your sensitive information being used for criminal activity and may have a severe negative impact on your business and its’ financial well-being.
MailGuard urges users not to click links or open attachments within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English or omits personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and/or
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
Many businesses turn to MailGuard after an incident or a near miss, often as a result of an email similar to the one shown above. If unwanted emails are a problem for your business, don’t wait until it’s too late.
Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
One email is all that it takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
