In a recent video blog, I sat down with Sean Jacobs to discuss a real-world example of a phishing email that he had turned into a training opportunity. Using that email, he could showcase to clients how easy it is for employees to fall victim to a phishing scam.
However, that isn’t the only phishing email example that Sean uses with customers (and even Protected Trust’s own team). To really help improve cyber awareness and keep everyone on their toes, he has a few other ethical email phishing examples that he uses.
Ethical Phishing Email Example 2: Non-Delivery Report
Continuing from where he left off in the last phishing email example video, Sean introduces a new phishing email that simulates a communication from Microsoft. Specifically, this is a mimic of Microsoft’s Non-Delivery Report (NDR) email template.
“End users don’t typically receive this kind of message. Basically, this is… a non-delivery report. Essentially, when you send an email, and it can’t be delivered for some reason, you’ll get a response back saying ‘we couldn’t deliver that message because of [some] reason.’ What this one is, it looks just like an NDR report and it looks like a Microsoft one—one of their nice, new, pretty NDRs. [It] basically says that there was server congestion and we couldn’t send that message. If you want to send it again, click this ‘Send Again’ button.”
The goal of this email is to trick the target into clicking on that “send again” link to guide them to a false login page. Here, the user would be encouraged to enter their credentials, unwittingly handing them to a malicious actor.
This takes advantage of the target’s impulse to make sure that a message you’ve sent recently makes it out like you intended. A lot of people send out enough messages per day that this email would likely trick them because there would be at least one communication that they’ve sent. A more targeted phishing attack might even use a message that cites a specific intended recipient to increase the apparent authenticity of the message.
Warning: NOBODY is Immune to Phishing
Right after introducing the NDR phishing email example, Sean and I discuss how these emails could easily fool even a wary target into clicking on the wrong link or surrendering sensitive info—and that nobody’s immune:
- Sean: “I’ve seen different variations of this, but it’s still that same kind of thing where it’s a very official-looking email. It’s got all the right pictures, and it’s got all the right colors and it looks like the real thing, but it’s not.”
- Me: “Especially if you’re in a hurry, and you’re not an IT guy, right? It’s like you’re just doing your thing and it’s like: click, click, click.”
- Sean: “Which is something people do… It’s not that they’re not paying attention—it’s just that they’re busy… I’ve got a folder full of things that are interesting examples.”
- Me: “What about when the company says: ‘Oh, you won’t be able to phish our company.’”
- Sean: “Oh, I love that. Those are my favorites because… I can’t think of any examples where I haven’t been successful at phishing at least 10 percent of the users in a company.”
The problem is that a lot of people seem to think that phishing emails are still like the infamous “Nigerian Prince” emails which straight up ask for banking details. However, phishing has evolved since those days. Now, phishers use a variety of tactics to fool their victims. And, they have the tools at their disposal to make phishing easy.
Worse yet, the larger your organization is, the more likely it is that someone will fall for the phish.
Ethical Phishing Example 3: Voicemail Phishing
Sean closes out the video by sharing and discussing a different type of phishing—the voicemail phishing scam. Here, an email is sent with a transcript of a voicemail preview (in this case, purportedly from Microsoft’s VM solution). In the video, Sean says:
“I thought this one was really interesting because it doesn’t look anything like one of the voicemail previews that you get from Office 365. But, it was still pretty successful in my mind, so I made it a little better… I can see that it’s a voicemail for me—it came from this number that I don’t recognize—but then there’s that preview saying that ‘Good Morning Sean this is Steve P from the State Office of…’ and I get the ellipsis there and I’m like ‘oh, crap. The state office of what?”
Despite the base email being obviously fake to someone who’s intimately familiar with Microsoft’s voicemail preview emails in Office 365, it still generates curiosity. This is one of the most frequently-used tools of the modern-day phisher: the target’s curiosity. That little doubt in the reader’s head that says: “This could be serious; I need to check it out.” By leveraging that, phishers can easily gain access to information and hijack user accounts despite sending obviously-fishy (or is that phishy?) emails.
The simple fact of the matter is that phishing attacks are a clear and present danger to organizations of all sizes and industries. If you need help securing your company against this cyber threat, check out our online security training course. Or, reach out to the Protected Trust team for answers.