A phishing campaign is using short, terse emails to trick people into visiting a credential-harvesting site, according to Paul Ducklin at Naked Security. The email informs recipients that two incoming messages were returned to the sender, and directs the user to visit a link in order to view the messages. Since the emails are so short, the scammers avoid risking typos or grammatical errors that could have tipped off the recipient.
The phishing link has the appearance of a direct URL to sophos.com, but it’s actually a hyperlink that leads to a different site. The phishing site is also very simple, with just a login prompt and a title that says “User Control Panel.” Ducklin notes that the scammers may have taken the simplicity too far at this point, as the phishing site doesn’t attempt to impersonate any brand.
Ducklin offers the following advice to help people avoid falling for these attacks:
- “Don’t click ‘helpful’ links in emails or other messages. Learn in advance how to find error messages and other mail delivery information in your webmail service via the webmail interface itself, so you can simply login as usual and then access the needed pages directly. Do the same for the social networks and content delivery sites you use. If you already know the right URL to use, you never need to rely on any links in emails, whether those emails are real or fake.
- “Think before you click. The email above isn’t glaringly false, so you might be inclined to click the link, especially if you’re in a hurry (though see point 1 about learning how to avoid click-throughs in the first place). But if you do click through by mistake, take a few seconds to stop and double-check the site details, which would make it clear you were in the wrong place.
- “Use a password manager if you can. Password managers prevent you from putting the right password into the wrong site, because they can’t suggest a password for a site they’ve never seen before.
- “Report suspicious emails to your own IT team. Even if you’re a small business, make sure all your staff know where to submit suspicious email samples (e.g. email@example.com). Crooks rarely send just one phishing email to one employee, and they rarely give up if their first attempt fails. The sooner someone raises the alarm, the sooner you can warn everyone else.”
New-school security awareness training can teach your employees to follow security best practices so they can avoid falling for phishing attacks.