The below email was recently forwarded to us by a client. The recipient of the email wanted to know if it was a legitimate email or a phishing email. This is a phishing email. I thought that this would be a great opportunity to teach you how to identify the red flags of a phishing email. I will break it down by sections.
From: lemb1@renm dot kbevop dot com <lemb1@renm dot kbevop dot com
Sent: Wednesday, March 13, 2019 3:31 AM
Subject: Johndoe Validation ID: #M6EKC0#
Your office̱365 email is out of date, and you won’t be able to send or receive new messages. We recommend you update within 12hours to avoid being deactivate.
СОNFIRM NОW <https://cvgh.strangled.net/px/.txfajaaicn/bWlrZUBtaWtlcmVhZ2mNvbQ>
Note: failure to confirm your mailbox will result to permanent disable.
This еmail was sеnt to John@doe.com
AccID : ##8076286
_END OF EMAIL___
If you look closely, the sender’s email address has nothing to do with Microsoft, the supposed sender of the email. This is the first red flag. NOTE: I have replaced the “.” with “dot” to prevent anyone from accidentally clicking on the link.
THE SUBJECT LINE
The subject line displays the recipeint’s first name, last name, and validation ID number. These are all attempts to convince the recipient that the email is legitimate. NOTE: To protect the privacy of the recipient I changed it to Johndoe. The recipient’s real name was displayed in the original email.
You will notice that the salutation does not say “Hi Customer.” The salutation features the first name of the recipient. Phishing emails have evolved to a level of sophistication making it harder to determine real from fake. Using your name in the salutation is a technique to convince you it is a legitimate email.
THE CALL TO ACTION
Every phishing email has a call to action, something that you must do immediately. The sender of this email wants the recipient to click on the link to confirm his Office365 account. A “CONFIRM NOW” button was displayed in the original email. Hovering over the button, without clicking it, revealed the web address that displayed between < and >. If you were to click on the button it would take you to a website for strangled.net. This is not a website owned by Microsoft. Note: I have removed a few of the characters from the original web address to prevent anyone from accidentally clicking on it.
Every good phishing email contains a threat or consequence to get you to respond. It is a form of fear marketing. The sender of this email is threatening the recipient permanently disabling his mailbox. The thought of having one’s email permanently deleted could cause one to act without thinking. Stop. Pauses. Verify. Take action. Legitimate organizations will not issue ultimatums. They are willing to work with you and will give you options.
At the bottom of the email is a section that displays the recipient’s email address an what appears to be an account ID number. This is to trick you in to believing it is from Microsoft. Don’t be fooled by account numbers, validation ID numbers, or confirmation numbers. NOTE: I have changed the original email address to protect the privacy of the recipient.
STEPS TO TAKE
Here are the steps to take if you should receive a suspicious email:
- Contact the organization at the phone number listed on their main website, on the back of your credit card, or on your statement. Never call the phone number listed in the suspicious email.
- Log in to your account by going to their main website. If there is a problem with your account, you will see a notification.
- Search the internet for similar emails. Using this phishing email, a simple search for “office365 email scam” reveals numerous search results claiming the email is a fake.