Let's Go Phishing!

  • Published: Tuesday, Aug. 17, 2021

One form of social engineering is the fraudulent use of sending emails that pretend to be reputable in order to entice the victim to reveal personal information, deploy malicious software or obtain financial gain. Attackers use this form of deceit and criminal activity because it works. It is an effective and inexpensive tool in the cyber criminal's arsenal. Education of the end user is key to combating these attacks. Conditioning the user to recognize the signs of a phish can reduce risks.

Here are a couple of sample phish. See if you can spot all the red flags associated with these messages.

Background: John Smith is an employee of Dr. Tom Jones. He works in the finance department. The name of the company is Victim.

Phish #1
To: John Smith <[email protected]>
cc: Sue Brooks <[email protected]>
From: Dr. Tom Jones <[email protected]>
Subject: W2's for employees

Please send our W2 Tax Documents for all employees to Sue Brooks at Tax Consultants. I have cc'd her here.
We need these documents for a review ordered by the Board of Directors.
Please send immediately as we are under a time crunch.

Dr. Tom Jones

It makes sense that John Smith would receive such a request as he works in the finance department and has access to these records.

Red flag: cc address is a hotmail account
Red flag: Dr. Tom Jones email is not the company domain
Red flag: W2 forms are confidential and are not considered public records.
Red flag: sense of urgency.

What should John do? Personally contact Dr. Jones, either by separate email or phone call, to question the request.

Phish #2
To: John Smith <[email protected]>
From: Dr. Tom Jones <[email protected]>
Subject: Favor needed


I need a favor and am tied up in a meeting. I totally forgot and need you to purchase some iTunes gift cards for a prize at tonights charity event. Any way you can get those right now? I will reimburse you back in our office later. 
I need 4 $100 cards. If you get it scratch off the back and take picture of numbers and send to me now. I will get physical cards when I see you.

Again, it makes sense that John Smith would receive a request such as this because he works in the finance department of the company and would be able to purchase these.

Red flag: Dr. Jones email is not the company domain
Red flag: Grammar seems a bit off for a man with a doctorate.
Red flag: Sense of urgency
Red flag: Scratch off the activation code and send now. Why will that help if he needs the physical cards?

What should John do? Personally contact Dr. Jones, either by separate email or phone call, to verify the request.

Phish #3
To: John Smith <[email protected]>
From: Amazon Customer Care <[email protected]>
Subject: Refund Notifcation

Due to a system error you were double charge for your last order. A refund process was initiated but could not be completed due to errors in your billing information.


You are required to provide us a valid billing address

Click Here to Update Your Address

After your information has been validated you should get your refund within 3 business days
We hope to see you again soon.

Red flag: Domain extension of Amazon is incorrect.
Red flag: No personal greeting
Red flag: Lack of punctuation on some sentences.
Red flag: 'Click here' in an email normally leads to a fake website that will steal credentials.

What should John do? John should log into his Amazon account independently of this email. If this is a legitimate request he will have a notification indicating this. Or he can directly contact Amazon support to verify the information.

An ongoing security awareness program should include phishing simulations. By conditioning users to recognize these threats you can reduce the risks.

MOREnet members can leverage the partnership we have created with Infosec IQ to add phishing campaigns to their program. For more information, visit our Infosec IQ page, log in to my.more.net for information and pricing or contact [email protected].