Watch Out for These "Secure Email" Phishing Emails

We typically stick to writing about phishing emails and attacks aimed at businesses, but a recent trend has us making an exception. We’ve seen a HUGE uptick recently in a type of phishing emails targeted at individuals: emails posing as an encrypted email notification. Sometimes, these are pretty generic. Sometimes, they’re much more detailed and look like emails about mortgages or title loans.

The scariest part of this trend? These are convincing – some of the most convincing we’ve ever seen. Most have had very few warning signs that they’re a phishing email.

Some of them have come from real employees at real companies. These people likely fell for some other phishing scam and had their credentials stole. It’s not uncommon for hackers to use real people’s accounts to send out phishing emails.

Let’s look at a few examples:

We’ve seen a few generic encrypted emails. These basically say that you’ve received a secure message and click here to read it. Here’s one example:

(Note: The red bar at the top identifying this as a phishing email was added by Office 365 – it doesn’t catch everything, though, so even if you are an Office 365 user, you can’t rely on that being on every phishing email.)

There isn’t a lot to go on here and very few warning signs – just these:

1. The sender name and email address don’t match
2. If you hover over the link, the URL that comes up doesn’t match the sender’s domain or any company we’re familiar with.
3. This was sent to an inactive email address. It’s actually the email address we used for marketing (primarily sending our monthly newsletter) a few years ago. There’s no reason it should be receiving a legitimate encrypted email.

We actually received this one twice. The sender email and subject line were different, but the rest was the same.

We opened it in a sandbox (basically a virtual machine with no data on it that won’t affect the rest of our network) to see where it goes. It goes to a login screen – which is actually where a lot of legitimate encrypted emails go. But this login screen was created by cybercriminals with the intention of stealing login credentials.

This next one had me wondering if I had been seen someone else’s mortgage details for a few minutes. It came from the email address of a real employee at a real mortgage company (we’ve greyed out those details as well as a few other names that were included).

Again, there are very few warning signs that this email wasn’t real. These were the only things that gave it away:

1. There was no “To:” email address shown. This likely means they BCC’d a bunch of email addresses hoping to get multiple victims.
2. The button linked to a different site. When we hovered over the link in the “Open Folder” button, it didn’t go to the website for the company it was sent from.
3. I haven’t applied for a mortgage recently, and I don’t know this company. The email also had someone else’s name in it (it’s greyed out in our pictures). This was the big red flag – and really, the only thing that made me look closer.

That’s it. Those are the only things that stood out as fishy. In reality, most people aren’t as suspicious of every email as we are (it’s what happens when you think about cybersecurity all the time) and aren’t likely to notice #1 and #2. Curiosity will take care of #3 for a lot of people, too.

Like the generic email, if you click the link, it takes you to a fake login screen made to steal your credentials.

Here are some other examples of similar emails.

These are some of the most convincing phishing emails we’ve ever seen and they’re going to be hard to spot. If you aren’t expecting to get an encrypted email, don’t click on it. If you’re a PTG customer and have questions about whether or not an email is legitimate, we can help you check.