You have a new Fax!

When was the last time you received a fax? Possibly never. But, it might surprise some of you to know that millions of faxes get sent every day. In Germany, Japan and the US especially, they are alive and well, if not so much here in the UK. But how are they used in Phishing?

Phishing is not a specifically email related nuisance. SMS is another widely used approach (known as Smishing), but any medium can be used. It can be anything that targets stealing of personal information or money (the former only obtained in order to get the latter).

Here we’re looking at email, rather than faxes per se. But with the digitisation of services, both voicemail and faxes are now increasingly being delivered digitally as email attachments. Over the last year in particular, previously office bound workers started working from home, and as a result the use of hosted phone services saw a huge rise.

Phishing has followed this trend, and now one of the most common approaches that we’re seeing reported that gets through to the inbox is that of a received Fax.

Phishing email alerting to new fax messages

The above is a good example, though as usual, once you look closely there are several give-aways that it’s not real.

Webpage as an attachment

Very common these days is the replacement of a PDF or Word document as an attachment (both of which were often used to hide the links that take you to the phishing site rather than placing them in the message body) with an HTM/HTML file. In the example it’s Edge, but it could show up as Chrome or Firefox, depending on your default browser. 

What’s different about this is that the attachment contains code that runs a script on your computer. The attachment is a file, and if we save it and open it (securely of course, because we’re suspicious) we can see that it’s opened a web page but the URL is the location of that folder, not a website.

Fake Microsoft Office 365 sign in page

This example has other odd attributes. The page is mocked up to look like a Word document (why would a fax open as a Word Doc?) with the background blurred and a Microsoft sign in prompt overlaid on top. It’s not uncommon for the page to look like a standard Office 365 sign in page, or even your own company branded logon portal. Your email address is embedded in the script (I’ve changed it in the example) and it can even pull your custom office 365 sign in page background down making it look like your company portal.

You can enter a password, but no other buttons work.

Fake Microsoft Office 365 sign in page

As usual, if you try to sign in, it doesn’t work. It may then take you to the real Microsoft sign in web page after that, mainly to alleviate suspicion that this was a scam all along, and make you think there’s something wrong with the sign in.

Fake Microsoft Office 365 sign in page incorrect password

What else can we see?

There are other signs and inconsistencies which are often present that you can always look for.

  • Do you know the sender? Usually not.
  • Are you expecting a fax from anyone?
  • If it’s a voicemail, have you seen any missed calls? It is delivered in the same way your voicemail is normally delivered?
  • Does the message body fit the subject and the rest of the message?
  • If you click on the link or attachment (and really, you shouldn’t unless you are using a secure browser) does the page look like you would expect?

All this and more can reveal whether it’s a legitimate email or not. Often when receiving dodgy emails from unknown senders, we get a feeling that something is not right. The best action to take is to be extra cautious. Check with your IT department or, if it looks like it might be real and you just want to be sure, follow up independently by searching for the sender company online (not by clicking the link in the email) and give them a call to verify if they really did send it.

Like this article?

Share on twitter
Share on Twitter
Share on linkedin
Share on LinkedIn
Share on email
Share by Email

Subscribe to our monthly newsletter

Get the best IT tips and Office ideas in your inbox

Further reading


How to add a Shared Mailbox to Outlook Mobile

If you have access to shared mailboxes and you need to view these in Outlook on your mobile, you don’t need to know the username and password for those accounts. You can add them using your existing delegated access rights.

Read More »

Information Security

You can’t have IT without Security!

There, we said it, but what does that mean and perhaps more importantly, what does it mean for our customers?

Read More »

To Save or to Auto Save?

Save as you go. If ever there was a golden rule of working with computers, this is it. Anyone who has ever worked on a document before losing their progress to an application crash or power cut knows only too well the dangers of not saving your work. So the introduction of Auto Save in Office seems to be, on the face of it, an absolute gem. But how does it work and what if you need to turn it off?

Read More »
Scroll to Top