MailGuard has intercepted a phishing email scam that claims to deliver ‘remittance advice’ in order to trick users.
Titled ‘Payment Advice’, the email claims it is sent from the ‘Aussie Broadband team’, a well-known local telecommunications carrier. It informs recipient that their remittance advice is ‘ready for download’, and contains a link, supposedly to a .PDF file. The email is actually sent from a compromised email account.
Here’s what the email looks like:
Unsuspecting recipients who click on the link to view the document are led to a page hosted by Linkkle, a web tool that is used to organise multiple social media links. This page includes an image preview an ‘Account Payable Shared Payment Slip’, and a button titled ‘View Here’.
Here’s a screenshot of this page:
Upon clicking the button, users are led to a page containing a header titled ‘Microsoft SharePoint’ – a popular web-based collaborative platform by Microsoft that is commonly used by businesses. This page directs users to enter their email addresses in order to view the document. Users are then led to another page asking users for their passwords. While both these pages employ Microsoft’s logo and branding, the domain used in the URLs of both these pages doesn’t belong to Microsoft – a red flag pointing to their illegitimacy. These are actually phishing pages hosted on a compromised website. Here are screenshots of what they look like:
Once users enter their email addresses and passwords, the attacker harvests them for later use. Users are then met with an error saying that the credentials are invalid, as per the below.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not respond to it.
By claiming that ‘remittance advice’, in the form of a new document, has been shared, this email scam aims to intrigue recipients, motivating them to click on the link to view it as soon as possible.
Scams that are initiated from compromised accounts are particularly dangerous, for a number of reasons:
- The emails are sent from a legitimate account, so they are not likely to be blocked by email security services,
- The recipients are more receptive to the emails because they are from a legitimate service, and especially where the sender is known to them, and
- Because they may deliver a malicious payload, or simply a link to a file like these examples, directing users to external phishing pages to harvest credentials.
It's also interesting to note the reference to Aussie Broadband in the email, and the inclusion of Microsoft branding in the phishing pages. Cybercriminals frequently impersonate well-known companies like these because their good reputation lulls victims into a false sense of security. Because of the large number of users globally, they are regular victims of these scams. In this case, by assuring recipients that the shared document is hosted on a safe platform like Microsoft SharePoint, cybercriminals behind this scam further encourage users to provide their email addresses and passwords in order to proceed.
In addition, using a file-sharing notification to trick users is another trick employed by cybercriminals to avoid detection. Since the COVID-19 pandemic, it’s become increasingly more common for employees working remotely to share confidential business documents with one another via email, so notifications like this one aren’t likely to raise too much suspicion.
Some of the subtle hints that this email is not legitimate, are the lack of a personalised greeting and multiple spacing and grammatical errors.
A simple, common sense way to spot a scam is to ask yourself if you know the sender, or if you should reasonably expect to receive an email from them. If not, or if you’re in doubt, don’t open it and don’t reply. In most cases, that advice will be sufficient, but if you work in the accounts payable department at a medium to large sized company, knowing the details for every vendor may not be so simple. Always exercise caution when opening email.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from, and
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.