Examples of Phishing Emails

COVID-19 Specific Examples

To keep people up to date on what some of the COVID-19 email scams look like here are recently processed examples from security vendors.

Emails received with links leading to OWA credential harvesting page

  • Corona virus notice subject lines purporting to being from an internal IT-Service desk
  • Link in the campaign tricks users into signing up for a mandated seminar or risk disciplinary measures

Impact – Stolen Credentials

where the link leads to (not a real OWA login)


Coronavirus “Secret Cure” Lure

  • The email claims there is a cure being hidden by government entities because the virus is being used as a bio-weapon. It then urges the recipient to receive further information on the “cure” by clicking on the link provided in the email.
  • If the recipient clicks on the link, they are taken to a fake DocuSign website where they’re told they need to enter credentials to get the information.

Fake Internal Email from an Organisation on Coronavirus

  • Attackers are also subverting internal credibility in their attacks. This example, we see a campaign that uses a COVID-19 email designed to look like an internal message to all staff.
  • This email is very well-crafted and has the business’ president’s correct name. It includes a Microsoft Word attachment with an embedded URL that leads to a fake Microsoft Office website to enter credentials. Once the credentials are entered, the user is then redirected to the legitimate World Health Organisation Coronavirus information site, making the phishing transaction seem legitimate.

Fake World Health Organisation Lure

  • Looking to abuse legitimate sources of information, attackers are abusing the World Health Organisation (WHO) name to distribute an attachment that will install the AgentTesla Keylogger.
  • Once installed, this malware will record all keystrokes and send it to the attackers, a tactic that can give access to online banking and financial accounts.

General Examples

Here are some examples of actual Phishing emails. We have indicated the suspicious features of each email. For a full list of things to watch out for, read the article “Detecting Phishing Emails”.

Slide 1: “Internet Banking Security Reminder!.”

This phishing email targets Kiwibank customers. The subject line has the prefix “[PMX…]”, which was added by Puremessage, the Anti-Spam system used at the University of Otago. Some other antivirus programs have a similar feature.

The most obvious indications that this email is fake are:

  • The link does not go to Kiwibank
  • The sender is simply specified as “Kiwibank Limited”; there is no individual or department named.

 

Slide 2: “Facebook Technical Support sent you a notification”

This phishing email targets Facebook users. This is a screenshot from Gmail, which looks different compared to email software like Outlook and Thunderbird. The link preview text is in the lower left corner, instead of appearing as a popup.

The most obvious indications that this email is fake are:

  • The sender has an email address ending in “…onlinehome-server…”.
  • There is no indication that the sender even knows the name of the recipient.
  • The “Go To Facebook” link actually goes to a website that isn’t Facebook

 

Slide 3: “You Have One Important Security Message”

University of Otago staff were specifically targeted in this phishing email. However, the general style of the email is easily modified to suit any target – the attacker just needs to change the “From” address, and the last line of text in the email.

The most obvious indications that this email is fake are:

  • The “Click here to View Message” link goes to a non-Otago website.
  • The format of the notification is unusual.
  • The sender is simply specified as the “…Webmail Service”; there is no individual or department named.

 

Slide 4: “Warning Alert!”

This phishing email was also targeted at the “Unoversity” of Otago.

The most obvious indications that this email is fake are:

  • The “From” address is inconsistent with itself. The first part reads “helpdesk@otago.ac.nz”, and the second part ends with the name of a different organisation.
  • The link given is obviously not to an Otago website.
  • The sender is simply specified as the “Unoversity of Otago” [sic]; there is no individual or department named.

 

Almost all phishing emails can be easily detected – it just takes a bit of critical thinking. Read our other article, “Detecting Phishing Emails” for more information.

 
 
 

Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.