Phishing is not a specifically email related nuisance. SMS is another widely used approach (known as Smishing), but any medium can be used. It can be anything that targets stealing of personal information or money (the former only obtained in order to get the latter).
Here we’re looking at email, rather than faxes per se. But with the digitisation of services, both voicemail and faxes are now increasingly being delivered digitally as email attachments. Over the last year in particular, previously office bound workers started working from home, and as a result the use of hosted phone services saw a huge rise.
Phishing has followed this trend, and now one of the most common approaches that we’re seeing reported that gets through to the inbox is that of a received Fax.
The above is a good example, though as usual, once you look closely there are several give-aways that it’s not real.
Webpage as an attachment
Very common these days is the replacement of a PDF or Word document as an attachment (both of which were often used to hide the links that take you to the phishing site rather than placing them in the message body) with an HTM/HTML file. In the example it’s Edge, but it could show up as Chrome or Firefox, depending on your default browser.
What’s different about this is that the attachment contains code that runs a script on your computer. The attachment is a file, and if we save it and open it (securely of course, because we’re suspicious) we can see that it’s opened a web page but the URL is the location of that folder, not a website.
This example has other odd attributes. The page is mocked up to look like a Word document (why would a fax open as a Word Doc?) with the background blurred and a Microsoft sign in prompt overlaid on top. It’s not uncommon for the page to look like a standard Office 365 sign in page, or even your own company branded logon portal. Your email address is embedded in the script (I’ve changed it in the example) and it can even pull your custom office 365 sign in page background down making it look like your company portal.
You can enter a password, but no other buttons work.
As usual, if you try to sign in, it doesn’t work. It may then take you to the real Microsoft sign in web page after that, mainly to alleviate suspicion that this was a scam all along, and make you think there’s something wrong with the sign in.
What else can we see?
There are other signs and inconsistencies which are often present that you can always look for.
- Do you know the sender? Usually not.
- Are you expecting a fax from anyone?
- If it’s a voicemail, have you seen any missed calls? It is delivered in the same way your voicemail is normally delivered?
- Does the message body fit the subject and the rest of the message?
- If you click on the link or attachment (and really, you shouldn’t unless you are using a secure browser) does the page look like you would expect?
All this and more can reveal whether it’s a legitimate email or not. Often when receiving dodgy emails from unknown senders, we get a feeling that something is not right. The best action to take is to be extra cautious. Check with your IT department or, if it looks like it might be real and you just want to be sure, follow up independently by searching for the sender company online (not by clicking the link in the email) and give them a call to verify if they really did send it.