Anatomy of a Phishing Scam


Today I received an e-mail which made it past Google’s Junk E-mail protection.  It was sent from “Gmail Team” and titled “Google Verification”.  As I’ve had to do site verifications for Analytics and Webmaster tools, I took a look at the e-mail.

Within half a microsecond, I decided to compose this quick “Tech Meme”, breaking down all the tell tale signs of a Phishing attempt.  As far as they go, this one was pretty poor – but could still trip up some unfortunate folks.

Firstly, what is Phishing?

According to Wikipedia:

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.

Does my e-mail constitute a Phishing attempt?  Check it out and see what you think.  Here’s the complete message:

image

So let’s break it down:

1. The “From“ Address

Although this e-mail was sent from a “@gmail.com” address (although most official Google E-mail is sent from @google.com), clearly the folks at Google would have a better reply-to email address than “customerservice.verifyinfor”

2. No Branding/Google “look and feel”. 

Although some authentic e-mails from Google are sent in a basic format, even they carry some kind of corporate signature, like the following:

“© 2011 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043”

Microsoft usually applies style sheets to their emails, most of the major banks do too.  If you receive an e-mail which doesn’t look or feel right (fonts, colours, lack of legalese in the footer), chances are it’s not an authentic e-mail.

3. Nature of the request

There’s just no way that Google (or any other large company) will ever expect end users to fill out details in text like this.  In fact, no big company or financial should ever contact their customers this way and request private information.

Even if they did, it would be horrible to import into their systems, and it would be very hard to validate the input text.

4. Grammar and spelling mistakes. 

Even in this age of decaying English, most big companies tend to proof read their e-mail text.  This email isn’t too bad for a phishing scam, but you likely won’t find these kind of mistakes in legitimate e-mails.image

Lastly, if you read this e-mail and thought “isn’t this information already located at accounts.google.com?” you’d be correct. 

Why would a company re-request this information?  You’ve already supplied your account and password when you logged into your account, your year of birth doesn’t change, and your name wouldn’t change that often either.

There’s a good chance you don’t remember the year you registered (and shouldn’t they be able to look it up?) and place of residency isn’t required.

Finally..

If you get an e-mail like this one from a bank, Microsoft, Apple or Google (or others like them) apply some simple logic before hitting reply.  As always please be careful with your personal information.

Your details should be as protected as your PIN number or bank account details.  Don’t give the information away freely.

R


About Rob Sanders

IT Professional and TOGAF 9 certified architect with nearly two decades of industry experience, 18 years in commercial software development and 11 years in IT consulting. Check out the "About Rob" page for more information.

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>