Month: June 2021

Sometimes organizations ‘quarantine’ email messages that might be suspicious, allowing the end user to review before releasing them to the user’s mailbox.  This phish tries to fool the user into thinking they have messages that need to be released from that quarantine.

In this case, the fake login page was hosted on the Google Firebase storage service.  The attacker used the UVic martlet image to try to fool users into thinking this is a legitimate UVic service, which it’s not.

Gift card scammers often start by sending emails like the example below. They pretend to be a person in a position of authority (the president in this case) and ask the recipient if they are free to help with an urgent task. People who reply will be asked to purchase several hundred dollars’ worth of gift cards out of their own pocket and then send pictures of them with the numbers revealed to the scammer. If you’re curious, this CISO Blog post has a detailed example of how the correspondence can pan out.

We’ve also seen variations where the scammer begins by asking the recipient to send their mobile phone number. This lets the scammer shift to communicating by SMS to try and avoid detection.

Tips to avoid falling for these gift card scams:

• Check the sender email address – in this case, it’s a dodgy Gmail address, which clearly indicates that this request is fraudulent.
• Even if the sender email address looks legitimate, it could be spoofed. Reach out to the purported sender via a different communication channel, such as calling a phone number you know is trustworthy, to check whether the email is legitimate.
• Never send pictures of gift cards by email, SMS or messaging app; a legitimate request for gift cards would not ask you to do that.
  • If you did, call the company who issued the gift card (e.g.: Apple iTunes, Google Play, etc.) as soon as possible; they may be able to freeze the funds and/or help you get your money back. Also reach out to your department’s IT support person.
• Do not reply to these sorts of emails with your cell phone number – the scammer might target you with vishing (voice phishing) or smishing (SMS phishing) in the future.

Note how the phisher used a spoofed sender to make this phish look like it originated from within UVic (of course, it actually didn’t).