Sneaky Email Scams #2

This week we had a client who received an email from Microsoft.   Not unusual, considering that they use Microsoft products regularly and would expect to be marketed to by Microsoft. Our client (who has offices in several countries) noticed something unusual about this latest email, though.

The Set Up

To begin with, it was advertising products that the business doesn’t use.  And, while it LOOKED like a Microsoft email, it also was surprising that the “alert” was the first one they received and there was a clear sense of immediate urgency on the message:

If your Microsoft Email account was scheduled to expire, wouldn’t you likely be notified 30+ days in advance?   Why would you suddenly receive an urgent notice with “just” 24 hours to act?   Seems unlikely to us.    And then, after some close inspection, you begin to notice something;  English grammar and spelling can be tough to learn.  Why is “Expires” capitalized?  And clearly “below” is misspelled.

This immediately raises red flags and should alert us that something is wrong.   Microsoft is a large, credible, and professional firm.   They probably don’t often make these kind of spelling and grammatical errors in their public communications, right?  If that was the only thing wrong, perhaps we’d let it pass.  But, of course, there’s more!

The “Sign In” button is interesting.    Why would a sign-in button be contained in an email?    Email should (when used correctly) direct you to a website and from there you can login to an account.    To simply jump from an email straight into an account seems like a step is missing — and in this case, it’s where the fraud is evident.

When you hover over the “Sign In” button, the target location of the link is found.  This is tricky!  If you read the link, it points to the link of  http://microsoft.login.office365.account.    This looks totally legitimate to most people… until you read the whole entire link!     The link below ends with the ‘top-level-domain’ of faircampaignpractices.org (underlined below).    Why would Microsoft have you login to a website for some non-profit campaign reform organization?

An ounce of prevention…

Our advice to our clients is always to proceed carefully in these situations.   In this case, our client knew they weren’t subscribing to Microsoft Office 365 for email so this was an unusual situation to begin with.   They suspected something was wrong.   While their users didn’t know how to really inspect the message, they DID bring it to us and asked for our evaluation.

Is worth a pound of cure…

We reviewed the email and in the matter of 15 seconds knew that it was fake.  A quick email response back to the client assured them that their initial thought was correct and we advised them to delete and not respond to the email in any way.   Was a complete catastrophe avoided?   We’ll never know for sure.  But consider for a moment what kind of consequences could have occurred here!

– What if the recipient was an Office 365 administrator for an company and they reacted to that headline (‘expires in 24 hours’) out of fear?
– What if they logged into the site with their real admin credentials and quite literally “gave away” the information?
– How long do you think it would take a scammer to receive these real credentials, login to the real Office 365 account, and begin stealing account information, watching/reading corporate emails, intercepting data, and stealing from your company?

These kind of scams are vicious and can be destructive to a company.  Knowing how to at least review and check an email — especially when your first gut-check indicates that it seems odd — could make the difference between “business as usual” and an all-out fight to save data, security, and money.

What to do

If you’ve suffered from a phishing attack like this, your first action should be to contact the company (such as Microsoft, in this case) by phone.  Call them and explain to the service team what has happened.   Hopefully they can update the accounts with secure passwords immediately and prevent loss from occurring.

Second, make sure you notify your employees, volunteers, staff, etc. about the potential theft and how it happened.   Typically a threat would target a larger number of people, not just one user.   Make sure that your whole team is aware and on alert.

Third, let us know about the incident so that we can run scans against your network, investigate the situation, and help determine what actions might be helpful to secure your business.

Email scams are constant and frustrating.   While lots of tools exist to help eliminate threats, fraudulent and damaging emails sometimes still get delivered to unsuspecting recipients.   Knowing how to review and carefully scan those emails is a skill that’s worth knowing and can save your business from a potential disaster.