A client forwarded us an email this week. He wasn’t sure if it was a real email. Let’s dive into different red flags and see how we can easily recognize it as Phishing.
From
It says it’s from Help Desk Support, and the email domain is one completely unrelated to our business or any of our vendors. Great first indicator. We don’t know the sender, so we probably shouldn’t trust the contents. Not necessarily phishing, but very likely it’s spam.
Subject
What is that? Even if the email was from a help desk support agent, why is that the subject of the email? An email subject should explain what’s in the email, not show a random hexadecimal string. I guess maybe it’s supposed to look official and technical, but it just screams SCAM to me.
Body
OK, here’s where things get a little more obvious. First, it looks like they’re kind of trying to imitate the user’s help desk, and it kind of looks like they’re trying to imitate Microsoft. Either way, no good. But going back to the actual text: nobody writes a date like that, even computer generated stuff. Next, “Connect Below to Activate Same Settings” doesn’t make sense. It doesn’t make sense in the context of this email (you’re not activating settings, you’re dealing with a password expiration), and it doesn’t make sense in English grammar.
More specifically on passwords: If a password is going to expire, talking to someone will not let you keep the same password. You’ll need a new one. For Microsoft passwords, expiry notifications come from Microsoft directly, and can be found on the Microsoft portal when you log in.
Subtext
There were two more problems in this email, both glaringly obvious. The first is that the signature consisted solely of the domain name of the customer with no closing (sincerely, etc.), and the domain doesn’t even reflect the actual name of the business. Obviously I can’t show you that part. But the other, most obvious problem is something you probably rarely pay attention to: the postscript. You know, the text that so many companies put in their emails at the bottom that include a bunch of legalese and “if you receive this by accident” stuff? Here’s the postscript from this email:
That’s probably hard to see, but if you zoom in you’ll notice it’s the postscript from a UBS Bank email. This is not UBS, so that’s a glaring red flag that this email is fake.
So what do you do if you get an email like this? Report it to your IT team, delete it, and definitely don’t click on anything. If you’re not sure, you can always reach out to our team and get our advice. But if in doubt, it’s usually a safe bet to throw it out.