Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Email + Phishing: Separating Scams from the Real Thing Can be Tough

5/7/13

By Stephanie Colleton

While ISPs and corporate spam filters work hard to catch most of the bad email out there, inevitably some do get through to the inbox. Some scams – whether spreading viruses or phishing attempts - are pretty obvious.

Others can sometimes be so realistic even those of us with heightened awareness do pause for a moment. And then there are the legitimate emails that look like phishing scams. Here are a few recent examples from my inbox.

The email below from domain facebookmail.com looks realistic. The subject line was “Check out Jeffrey’s photos on Facebook.”

The from domain, facebookmail.com, is plausible, the look and feel matches Facebook, the copy is typo free and even the footer sounds realistic.

I intentionally didn’t download the images so I can’t be sure what they were. What is suspicious? Well, the use of just “Jeffrey” instead of a full name, and the full from address: invite+Ac3RlcGhhbmllLmNvbGxldG9uQHJldHVybnBhdGgubmV0@facebookmail.com.

I wasn’t fooled, but others may have been.

Now this one seemed like an obviously suspicious email:

But it was sent to my email at work, where we have used an efax service before so it was more plausible sent to a commercial email address rather than a consumer email address.

The most confusing example was from Evernote last month. Some of you may have received this as well. Evernote was hacked so they sent out an email to make users aware and to ask them to reset their passwords.

The email says: Never click on 'reset password' requests in emails - instead go directly to the service. But the email itself includes a link to reset the password! And the URL it linked to was: links.evernote.mkt5371.com, which looks like a fake domain.

Turns out the domain was maintained by an email service provider. Despite some buzz about this on cyber security websites, Evernote then sent out a reminder email a week later, again with a link to reset the password (although at least this time it went to evernote.com).

I received both of these emails and didn’t click but saved them thinking they would be good examples for an article on phishing. Only when I did some Googling did I find out they were actually legitimate.

Evernote Initial Email

Evernote Reminder Email:

Some companies, particularly those who are typical phishing targets, are making specific attempts to educate their users about scam emails. While we’ve seen some wording in email footers, this example from American Express makes security awareness the topic of the email itself.

The email briefly explains what phishing is and what to do with a suspicious email if one is received. The email also includes a link to their Fraud Protection Center where there is additional information such as how to identify fraudulent email, how to identify legitimate email from American Express and what to do if you have already entered account information via a possibly fraudulent email.

Finally, the footer copy tells the member how their cardmember information is included in every email and that some phishing emails may bypass spam filters.

A few changes may have made the email a bit more effective. The section on phishing in the email should advise the recipient not to click on a suspicious email and not to enter any personal information.

While this is stated in the Fraud Protection Center, it should also be included in the email itself in case the member doesn’t read the Fraud Protection Center information. Additionally, each topic in the email should include a link to the corresponding section on the website.

It could either be the blue headers (those are not currently links) or a call to action in the text. For example, “Beware of Phishing” should link to the phishing section of the Fraud Protection Center. And the “Sign Up For Account Alerts” section should include a link to sign up for those alerts. 

Finally, the Fraud Protect Center landing page could be better optimized. The most prominent link on the initial landing page goes to an up-sell for fraud protection products. Plus, we had to guess that more information about phishing was in the Identity Theft section.

American Express Email:

Fraud Protection Center Landing Page:

 

Identity Theft Section with Phishing Expanded:

Scammers aren’t going anywhere, so consumers and marketers need to arm themselves with the knowledge and tools to battle fraudulent emails. Recipients need to be hyper vigilant by being aware of the techniques scammers use.

Businesses need to respond appropriately to security breaches or when corresponding with customers about account information or password updates.

 Finally, companies need to be aware of whether or not their brand is being spoofed and work with ISPs to prevent these messages from reaching people. How to do that?

Use authentication and the DMARC standard as well as big data powered solutions. To learn more about DMARC go to www.DMARC.org or read these blog posts about DMARC. The series includes some posts on specifically how to implement DMARC.

Stephanie Colleton is director, professional services and response consulting for email intelligence firm Return Path.

 

Comments

Show: Newest | Oldest

Post a Comment
Your Name:
Subject:
Comments:
Verification:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Gill
Date: 2016-01-31 10:21:36
Subject: Security@facebookmail.com

Thanks will print and read through. My email, calls everything is being somehow intercepted. This is something i hit on yesterday so will go through my email later when i connect printer. Let you know how your advice was. Namaste
Posted by: FB
Date: 2014-03-08 20:36:23
Subject: aaa

acab
Posted by: David Romerstein
Date: 2013-05-07 14:22:14
Subject: 'facebookmail.com'

I'm not sure what you're trying to say with your first example there. 'facebookmail.com' is, legitimately, a Facebook domain; much of the email I've gotten from Facebook since at least 2011 has been from that domain.

Xverify