You have a new Fax!

Fax machine
When was the last time you received a fax? Possibly never. But, it might surprise some of you to know that millions of faxes get sent every day. In Germany, Japan and the US especially, they are alive and well, if not so much here in the UK. But how are they used in Phishing?

Phishing is not a specifically email related nuisance. SMS is another widely used approach (known as Smishing), but any medium can be used. It can be anything that targets stealing of personal information or money (the former only obtained in order to get the latter).

Here we’re looking at email, rather than faxes per se. But with the digitisation of services, both voicemail and faxes are now increasingly being delivered digitally as email attachments. Over the last year in particular, previously office bound workers started working from home, and as a result the use of hosted phone services saw a huge rise.

Phishing has followed this trend, and now one of the most common approaches that we’re seeing reported that gets through to the inbox is that of a received Fax.

Phishing email alerting to new fax messages

The above is a good example, though as usual, once you look closely there are several give-aways that it’s not real.

Webpage as an attachment

Very common these days is the replacement of a PDF or Word document as an attachment (both of which were often used to hide the links that take you to the phishing site rather than placing them in the message body) with an HTM/HTML file. In the example it’s Edge, but it could show up as Chrome or Firefox, depending on your default browser. 

What’s different about this is that the attachment contains code that runs a script on your computer. The attachment is a file, and if we save it and open it (securely of course, because we’re suspicious) we can see that it’s opened a web page but the URL is the location of that folder, not a website.

Fake Microsoft Office 365 sign in page

This example has other odd attributes. The page is mocked up to look like a Word document (why would a fax open as a Word Doc?) with the background blurred and a Microsoft sign in prompt overlaid on top. It’s not uncommon for the page to look like a standard Office 365 sign in page, or even your own company branded logon portal. Your email address is embedded in the script (I’ve changed it in the example) and it can even pull your custom office 365 sign in page background down making it look like your company portal.

You can enter a password, but no other buttons work.

Fake Microsoft Office 365 sign in page

As usual, if you try to sign in, it doesn’t work. It may then take you to the real Microsoft sign in web page after that, mainly to alleviate suspicion that this was a scam all along, and make you think there’s something wrong with the sign in.

Fake Microsoft Office 365 sign in page incorrect password

What else can we see?

There are other signs and inconsistencies which are often present that you can always look for.

  • Do you know the sender? Usually not.
  • Are you expecting a fax from anyone?
  • If it’s a voicemail, have you seen any missed calls? It is delivered in the same way your voicemail is normally delivered?
  • Does the message body fit the subject and the rest of the message?
  • If you click on the link or attachment (and really, you shouldn’t unless you are using a secure browser) does the page look like you would expect?

All this and more can reveal whether it’s a legitimate email or not. Often when receiving dodgy emails from unknown senders, we get a feeling that something is not right. The best action to take is to be extra cautious. Check with your IT department or, if it looks like it might be real and you just want to be sure, follow up independently by searching for the sender company online (not by clicking the link in the email) and give them a call to verify if they really did send it.

Like this article?

Share on Twitter
Share on LinkedIn
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading

Making Sense Of Information Security

Making Sense of Information Security – Online Course

In this series of 5 short tutorials, ‘Making Sense Of Information Security’, Ciaran delivers a step by step guide on getting to grips with this at times tricky concept. Aimed at office managers, we cover areas such as how to get senior management buy-in, how to undertake a risk assessment, how to approach treatment of those risks, your responsibilities to data subjects under the GDPR, and more.

Read More »
copilot-logo

Enhance Productivity with Microsoft 365 Copilot

AI tools are transforming how people approach their work, but online ‘free’ tools such as ChatGPT are not secure for businesses to use, and you should never enter any confidential or personal information into free online AI Services. This information can be used to train the AI and make it available to other users, and may constitute a data breach.

Read More »
3D rendering. Abstract background concept of cyber security and attack, system crash.

The 7 Most Common Attack Vectors in 2024

With the rapid onset of new technological capabilities, cyberattacks are a very real threat to any modern business. After all, as more businesses implement new technologies into their business, cyber attackers gain more new targets to try their hand at.

Read More »
Scroll to Top