Akankasha Dewan 22 October 2020 19:43:54 AEDT 3 MIN READ

Watch out: Purchase order email carries phishing link

MailGuard has intercepted a phishing email masquerading as a notification related to a purchase order.

Sent from a compromised account on a mass mailing system, the email is designed to look like an auto-generated notification, asking the recipient to “re-send order”, along with a message and link at the bottom. A header is included in the email indicating that it is sent “from a trusted sender”. This is likely an attempt to boost the email’s credibility and convince the recipient that it is safe to click on the link included in the email.

Here’s what the email looks like:



Unsuspecting recipients who click on the link are led to a page that appears to be hosting a Microsoft Excel file. However, the file is blurred and recipients are presented with a Excel-branded login window asking them login to their emails if they wish to view the document. Here is a screenshot of the page:


This is a phishing page hosted on a collaborative platform for app developers that allows free accounts.

Once these credentials are entered and submitted, the attacker harvests them for later use, and the user is met with an error saying “Access denied”. The user is then redirected to a website associated with the domain portion of the email (for example, if test@XYZ.com was used, it would redirect to XYZ.com.au).

We advise all recipients to delete these emails immediately without clicking on any links. Please share this alert with your social media network to help us spread the word around this email scam.

Enquiries or notifications related to purchase orders have long been used by cybercriminals to scam users. These are common business documents, frequently exchanged by professionals and habitually found in inboxes. Cybercriminals know this, and hope that in their urgency to respond to and act upon such notifications, users don’t pause to check for their legitimacy.

In this case, several red flags are present that should alert users. These include the fact that the email doesn’t address the recipient directly, and that the domain used in the URL of the phishing page belongs to a third party.

In such cases, users are reminded of the importance of not accepting/clicking on documents from unknown senders, despite the organisation they purport to be from. All attachments/links should only be accessed when users are certain about the credibility of their owners.

As a precaution, MailGuard urges you not to click links within emails that:

  • Are not addressed to you by name.
  • Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
  • Are from businesses that you were not expecting to hear from.
  • Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from. 

One email is all that it takes

All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.

For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.

Talk to a solution consultant at MailGuard today about securing your company's network.

Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.

Keep Informed with Weekly Updates