Posted by Bryan Vale / February 7, 2018
Recently, I received an email that was blatantly attempting to get me to download a malicious email attachment. While this was far from being an advanced attack, the content of the email provides some examples of how criminals use social engineering in business email compromise (BEC) attacks to trick well-meaning users.
The email was from "Khalid Jagadeesh," email address ian.green [at] lorianmarketing [dot] co [dot] uk. (Right off the bat, this makes no sense – why does the sender name differ so vastly from the name in the email address?)
The subject line was "Fw:Attached Revised Order".
Here is the body text reproduced in full:
Good to know about your products from one of our supplier, our company urgently in need of your product.
Please check our order attached and get back to us with a goods quotation .
I awaits for your goods quotation and proforma invoice.
Steel iron Trading Ltd
P.O.Box 783, Muscat Postal Code 100
Phone:+ 968 2034711
3 Social Engineering Techniques Used in This Email
1. An attempt to create a sense of urgency.
In the first sentence, the word "urgently" is used. In the second sentence a request is made of the recipient in a fairly demanding tone. The closing line emphasizes that the sender is waiting for a reply.
Without even providing a hard deadline, the email creates a sense of urgency.
2. A promise of a good or necessary outcome.
No employee wants to be responsible for their company losing a potential customer, and this email is designed to make them fear just that: If they do not download and open the attachment, a customer's order may not be processed!
Malicious email attachments disguised as purchase orders are extremely common, and in those cases the promise of new business for the company is the dangling carrot that gets employees to open malicious attachments. Even if they suspect the email is malicious or phony, they may open the attachment just to be sure.
This reward-promising pattern can take other forms as well. For instance, fake invoices make the recipient feel that they have to take action to avoid negative consequences.
3. Attention drawn to the attachment.
The subject line references the "Attached Order", and the second sentence prompts the recipient to check the "order attached." The sender wants to immediately draw the recipient's attention to the attachment to keep it front of mind, and then prompts them to open it.
The classic advice given to salespeople was "ABC": Always Be Closing. Email phishers have much the same mindset. It does not make for a catchy acronym, but their motto is: "Always Be...telling the email recipient to open the malicious attachment."
How to Instantly Determine This Is a Phishing Email
1. I was not expecting an email from a customer.
I am a copywriter; I do not process orders. But even if I were a sales rep, an unexpected "order" of our "goods" would be suspicious, especially if the sender was unfamiliar.
Emails that are surprising, or even unexpected, are often phishing attempts.
2. An attachment for this scenario makes no sense.
Customers do not attach order forms to emails and then send them to us.
3. The email is full of errors.
A more targeted attack would likely not have quite so many spelling, grammar, and logic errors. For instance, "one of our supplier" is incorrect; it should read "suppliers." There is an extra space between "quotation" and the period that follows. "Steel iron Trading Ltd" is clearly a fake company name, and it is not even capitalized properly. The company name also does not match the domain of the sender's email address, nor does the signature name match the sender name.
Of course, many threat actors are far more skilled in composing their emails. Advanced email phishing attacks feature a high degree of personalization, and some attacks even come in the form of a reply to an already-existing thread.
Why I Was Protected No Matter What
OPSWAT uses Metadefender Email Security to protect company inboxes from malicious emails. With multi-scanning to detect threats and data sanitization (CDR) to prevent them, BEC emails like this are much less dangerous.
Even if I had decided to download the attachment and provide the sender with a "goods quotation," the attachment had been sanitized and the malicious content removed.
Despite the grammatical errors and other inconsistencies, this email demonstrates some of the social engineering techniques that cyber criminals use to pressure users into downloading and opening untrustworthy attachments.
Though this was a fairly transparent phishing attempt, emails like this do result in malware outbreaks on a regular basis. And in fact, some users can even be fooled by an inexpertly composed phishing email like this one (compare the sample emails in this article).
It is always important to train users in how to recognize phishing emails – but this must be combined with a strong email cyber security solution, because even security-aware users can fall victim to targeted BEC attacks.