Office 365 Business Email Scam
18 December 2019
If you are wondering how email accounts get compromised, here is just one example. In this case, the subject line is routine for an email delivery failure, but nothing else is good about this email scam.
Here is the email received by one of our customers today who was rightly suspicious about the content of the email
There are plenty of clues in the email which might be obvious to many, however if one is unaware that email scams like this are a thing, then trouble brews very quickly. Here are the signs this email is a scam
The sender name Online Message Team is clearly generic and would otherwise clearly be from Microsoft if the email was genuine
The sender emails address(es) are a dead giveaway, they haven't even tried to hide the scammer's email address(es)
The subject line is reasonable
The rejection statement in the first sentence also looks reasonable, we have all seen email delivery failures before
The Retrieve Emails link is clearly bogus if one is familiar with what a Microsoft web address should look like
So, what happens if we click on the link.....? We don't recommend that you try this at home (or at work) however nothing bad can happen unless you think the web page you visit is genuine, then things get nasty real fast. Let's look at the web page address first...
Hold on, Google's Gmail service is not happy with the link
The good news here is that Google has trimmed the link back to the actual web page address which is clearly not Microsoft, let us proceed for the purpose of this exercise, you would normally choose the "Back" option of course
More good news, our recommended internet security software, Webroot SecureAnywhere, is not happy with the web page either
So we bypass the warning (again, don't do this) and see where the link takes us.
If you compare the original web address in the email you can see that you have been redirected to a different web page which looks equally bogus even though it does contain your email address at the end.
Let's have a look at the whole bogus web page
The web address is clearly dodgy, however the Microsoft login screen looks exactly like the real thing. So if you don't notice the bogus web address then you are one step away from serious trouble
If you enter your email password on the above screen, the scammers will then have your email address and password which is all they need to login to your mailbox unless you have two-factor authentication attached to your mailbox in which case they will also need a code from your phone which will make it much more difficult to compromise your mailbox.
So, what happens next....?
The scammer logs into your webmail account
This is often referred to as "hacking" but it's actually not hacking because you gave them your password....
The scammer then quietly monitors your emails looking in particular for invoices which have been emailed to you
We have seen a particularly clever trick where the scammer inserts a filter into the mailbox
The filter sends every email to your junk folder unless it was sent by the scammer
This means the only emails you see from that point on are actually from the scammer
The scammer finds an email with a PDF invoice attached
The email is copied and resent with a modified version of the invoice
The scammer changes the banking details and may also send through a corroborative email advising of the change
You receive the invoice with the modified invoice and you then pay the amount on the invoice to the scammer
You won't know this has happened until the genuine payee contacts you to find out where their money is
This could be a week or more later, long enough for the scammer to withdraw the money and scarper
You then still have to pay the genuine payee and what you paid to the scammer is lost
And the good news is.....?
Australian banks are well aware of these scams and have systems in place which can stop the scammer from receiving their ill-gotten gains
Basically, any new bank account which receives a multi-thousand dollar deposit as the first transaction may be flagged for investigation before the scammer actually gets the money. We have been very impressed with this feature where we have seen customers re-imbursed for tens of thousands of dollars because the bank blocked the transfer. It would not be safe to rely on this of course. If the payment does not get blocked, you lose your money.
Defence Mechanisms
Know that this type of scam is a thing and it is active in our area
Use Google Gmail or indeed any other email service which offers two-factor authentication
Have good quality internet security software installed on your computers in particular
Make it your business to know what a genuine web address looks like
Trust no email, trust no web page and trust no unsolicited phone call
Be skeptical, it's a useful character trait in this modern world!
This is our business
Call us or email us if you need more information
We are heavily invested in email and internet security on behalf of our customers, this is what we do