Real examples of phishing emails

The phishing email is one of the most devastating weapons that cyber criminals use to get their hands on your charity’s data, infect computers with malware, and steal money.

That’s why you should treat all unexpected emails with the utmost suspicion and never click on links or open attachments in any email you receive unless you are sure that it is legitimate.

It’s also helpful to know what phishing emails look like so that you can identify and delete them as soon as you spot them in your inbox. Below we explore some typical examples.

Email account compromiser

The phishing email below will appear to come from someone you know, after their email account has been compromised by a hacker – Fiona Wilson, in the below example.

The email invites you to view a file with a generic subject like “Davey Fundraising Proposal.PDF”. Although you will not be expecting the email, the fact that it apparently comes from someone you have previously had communication with may convince you to click on the link to view the attachment.

   Fiona Wilson has invited you to a folder titled "Davey Fundraising Proposal"

   Fiona Wilson <fiona@Daveycapital.com>

      Tue, 23 Mar, 12:13      

   Good Afternoon,

   Fiona Wilson has invited you to "Davey Fundraising Proposal"

   Review Folder:  Davey Fundraising Proposal.PDF

   Extension Type: PDF •Size: 8.49MB •Date Modified: 23/03/21

   Fiona Wilson said: "I’d welcome any question or suggestion you might have. Thanks."

   Kind regards,

   Fiona

If you click on the link to view the file, you are taken to a web page which then says “To view the secure document, choose your email provider to confirm your identity” with a choice of email systems including Office 365, Gmail, and Outlook, along with genuine-looking logos.

If you click on one of the logos and enter your email user name and password, the hacker will then have access to your email account.

Malware infector

The following email could appear to come from a bank, a utility company, or any other business that you might have an account with, such as Apple, Netflix, Dropbox, or Facebook.

If you do have an account with that organisation, you may be tempted to think the email is genuine. However, poor English is a good clue that the email is likely to be a phishing email and the attachment is likely to contain malware.

   Dear (email address)

   Recently there’s been activity in your account that seems unusual compared to your normal account activities

   This is detail you activity:

   Location: 36 Paraduta Street, Carabobo, Spain

   IP address  (xx.xx.xx.xx)

   Time: Thursday, April 15 2021, 02;37:05 AM

   Platform: Windows NT 6.1

   *YOUR ACCOUNT HAS BEEN DISABLE TEMPORARY

   If you do not do this activity, maybe someone who has access to your account.  To view the details of your case    please download & read (Billing_Agreement_15042021.pdf) in attachment

Personal information stealer and malware infector

Cyber criminals also use a subject that you are likely to be interested in. The example below exploits the fact that many people are waiting to be contacted about a Coronavirus vaccination appointment.

   This is a public health message from NHS

   As part of the government’s coordinated response to Coronavirus, NHS is performing selections for coronavirus    vaccination on the basis of family genetics and medical history.

   You have been selected to receive a coronavirus vaccination

   Use this service to confirm or reject your coronavirus (COVID-19) vaccination:

   >> NHS – Accept Invitation

   >> NHS – Decline Invitation

   NOTE: The coronavirus (COVID-19) vaccine is safe and effective. It gives you the best protection against    coronavirus.

   Who can use this service

   You can only use this service if you have received an email/SMS regarding this invitation. You can not use this    service for anyone other than yourself.

   You are also free to reject this invitation, your appointment will be issued to the next person in line in that case.

   NHS National Health Service GOV.UK

By clicking on the links to either accept or decline the invitation, you will be asked for personal information that the cyber criminal may use for identity theft purposes, and you could also be directed to a “drive by” website which will attempt to compromise your computer using known vulnerabilities in software it may be running.

Another personal information stealer

Cyber criminals know that the tax year ends on 5 April and that many people would welcome a tax repayment. The following phishing email uses this fact to try to hook you into following its instructions without questioning it:

   HMRC Payment confirmation

   Dear XXX

   Your repayment has been issued by HMRC

   Tax  P800

   Tax reference PC37359839AP302222021

   Payment reference  9acda9a2-e0cd-4793-65ca-1750d3cd2169

   Amount to be paid GBP 520.99

   Go to HMRC Online Payments Website

   Why you got this xxx@hotmail.co.uk

   You chose to receive payment confirmation by xxx@hotmail.co.uk

   From HMRC Online Payments

The promise of a “GBP 520.99” repayment may be enough to tempt you into clicking on the “HMRC Online Payments Website”, but this fake website will ask for personal information such as National Insurance number and date of birth, and may also ask for passwords and other confidential information.

Bank log-on stealer

This is an example of a classic phishing email which invites you to view your account by clicking on a link in the email. In fact, the link will take you to a fake website designed to look like the genuine site, and when you enter you login name and password the hacker will capture them for later reuse at the real site.

This type of phishing email is becoming less common because most banks now also require some sort of two factor authentication method such as a code that is sent by text to your mobile phone.

   Account temporarily suspended!

   Dear client

   As part of our security measures, we regularly screen activity in your bank account. We revently contacted you after    noticing on your online account, which is being accessed unusually.

   To view your Account

1. Visit (bank.com)
2. Sign on to Online Banking with your user ID and password
3. Select your account

   Sincerely

   Customer Care

What you can do to protect yourself against phishing?

There are plenty of straightforward steps you can take. Here are the most important:

• Never click links in emails to visit sites such as your bank. Instead, type the address into your browser manually
• Use two-factor authentication on all sensitive accounts
• Do not open attachments from emails you are not expecting
• Use a password manager which automatically logs you into online accounts. Password managers are not fooled by fake sites designed to resemble genuine ones.