We will be looking at a phishing attempt that hit EIU this week.
In this case someone from outside EIU was pretending to be from Amazon.com and the attacker attempted to get the users credentials.
Were there any clues that this was a phishing email?
Questions to ask:
- Was I expecting this email?
- Generic use of “Dear Customer” and not my name?
- Use of urgency?
- Why is it from Amazon but the email is to firstname.lastname@example.org.
- Why does Hovering over the link goes to jakorposeutation.com?
- Why is détails used instead of “Details”?
Reviewing the email
Notice if you hover over “Update now” goes to https://jakorposeutation.com and not amazon.com
The word: “détails” a way to avoid spam/phishing filters
They want you to panic and react without thinking
- “If you do not update your account within 24 hours (from opening this email) will be officially permanently disabled.”
They put (Open from this email) because they know if I go to Amazon directly, you would see nothing and not get phished
The red flags are starting to add up. At this point, I would delete this email and login to amazon.com directly to see if there are any message for me. Another option is to forward the email to the EIU phishing group at email@example.com. ITS will review the email and let me know if it is OK.