Enquiries or notifications related to purchase orders have long been used by cybercriminals to scam users - and looks like this trend is set to continue.
MailGuard has intercepted a phishing email purporting to deliver a purchase order. Sent from a compromised email account belonging to a representative of a legitimate company, the email is designed to look like an automated alert. It includes multiple details related to the purchase order, including the date it was received, who it was sent by and a reference number - elements likely included to boost the email's credibility and convince users that a purchase order is indeed being shared. A link is provided for the user to “preview PDF” and the email ends with a sign-off from the “Adobe PDF Team”.
Here’s what the email looks like:
Unsuspecting recipients who click on the link to view the messages are led to an intermediary page titled “Sign-In Secure Document”. This page also contains details pertaining to the purchase order, along with Adobe’s logo and a signature belonging to the representative mentioned in the email. However, the domain used in the URL of the page doesn’t belong to Adobe or the representative’s company – a huge red flag pointing to the illegitimacy of the email. This page is actually hosted on a third-party document management/ sharing website.
Once users click on the link to “Review Document”, they are led to a second page with its background blurred. A message appears at the forefront of the page, informing users to choose their preferred email provider (Outlook, Office 365 or other) and to log into their emails in order to read the document. This page employs both Adobe and Microsoft’s branding, as per the below screenshot:
Just like in the intermediary page, this domain used in the URL of this page doesn’t belong to Adobe or Microsoft. This is actually a phishing page hosted on a compromised website in Africa. Once users “log into” their accounts, the attacker harvests their email address and passwords for later use, and the user is met with an error saying that the credentials were invalid.
Whilst MailGuard is stopping this email scam from reaching Australian businesses, we encourage all users to be extra vigilant against this kind of email and whatever happens, do not open or click them.
Enquiries or notifications related to purchase orders are common business documents, frequently exchanged by professionals and habitually found in inboxes – especially as more professionals work remotely due to the COVID-19 pandemic. Cybercriminals know this, and hope that in their urgency to respond to and act upon such notifications, users don’t pause to check for their legitimacy.
In this case, cybercriminals are also leveraging on the well-established reputation of Adobe and Microsoft in order to trick users. Cybercriminals frequently exploit the branding of global companies like these in their scams because their good reputation lulls victims into a false sense of security, and with such a large number of users they are an easy and attractive target. The inclusion of a signature indicating that the email is sent from “The Adobe PDF team” and the presence of Adobe and Microsoft Outlook and Office 365’s logos are likely intentionally included to boost the legitimacy of the email and convince users that the files being shared via this email are secure.
In addition, scams that are initiated from compromised email accounts are particularly dangerous, for a number of reasons:
- The emails are sent from a legitimate account and company, so they are not likely to be blocked by email security services,
- The recipients are more receptive to the emails because they are from a legitimate service, and especially where the sender and company is known to them, and
- Because they may deliver a malicious payload, or simply direct users to external phishing pages to harvest credentials, as in this example.
Despite these techniques, eagle-eyed recipients of this email would be able to spot several red flags that point to the email’s in-authenticity. These include the fact that the email doesn’t address the recipient directly, and that it contains several formatting errors.
As a precaution, MailGuard urges you not to click links within emails that:
- Are not addressed to you by name.
- Appear to be from a legitimate company but use poor English, or omit personal details that a legitimate sender would include.
- Are from businesses that you were not expecting to hear from.
- Take you to a landing page or website that is not the legitimate URL of the company the email is purporting to be sent from.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.
