What is it about phishing emails that makes them so enduringly popular with the bad guys?
The standard answer is they exploit fear, alarm and annoyance to persuade users to click on them, which explains the horde of campaigns using fictitious legal threats or warnings about bank accounts to get a foot in the door.
However, a new campaign covered by Bleeping Computer reminds us that there is another psychological impulse that works just as well if skilfully deployed – curiosity.
This one is couched as an email, apparently from Microsoft, alerting the recipient to an encrypted message which must be viewed by accessing OneDrive for Business.
It used to be said that the best phishing attacks gamed their victims in the shortest possible time and the fewest steps but that was before cloud services were invented where, arguably, introducing more steps now aids authenticity.
This one has several, including a faked-up OneDrive-branded email with a blue ‘Open’ button plastered in the middle of it, followed by – of course – a pretend OneDrive login page that asks users to enter their account credentials to download the file.
It’s like being asked to follow a trail of sweets to find out what’s at the end only to discover it’s a pit filled with spikes.
A big giveaway is that Microsoft business accounts should be protected by two-factor authentication (2FA), which this fake login lacks, but it’s possible some users won’t notice its absence if they’re not familiar with it.
You’ve got secure email
Phishing campaigns using the encrypted email content as a lure are nothing new, indeed one might view them as a distant development of the old fake UPS or FedEx parcel messages.
That’s why phishing attacks must continuously evolve new variations on the same underlying ploy, which happens as new templates are added to the shadowy phishing kits that spawn them.
Every time you think the phishers will finally run out of ideas, they come up with a new twist on the same concept.
Recent examples have even included attempts to beat older but still widely used types of 2FA, as was the case in a series of attacks targeting high-value Gmail users.
Or, last week, the fact that a growing number of bogus domains are using TLS certificates and HTTPS connections as a way of making themselves appear more plausible.
In the mobile sphere, phishers have taken to emailing Instagram users with the claim they’ve been added to a “nasty list”.
The inbox frontline
This raises the practical question of how recipients can avoid falling into the clutches of the phishers, short of simply never clicking on anything.
If there was a simple answer to this, phishing attacks would have been squashed years ago but not clicking on anything ever in an email is, in fact, not a bad place to start.
Anything that claims an account of any kind is about to be suspended, suggests users update their account data, or asks the user to delete undelivered emails, is automatically suspicious.
Beyond that it’s about noticing unusual, misspelled domains in the URL, or domains that appear differently when hovering over links. Finding them is a sure sign of something phishy, but their absence shouldn’t be taken as proof that an email is legitimate. It’s also important to study reply addresses carefully while remembering that legitimate addresses are easily spoofed.
How easily? Very easy:
(Watch directly on YouTube if the video won’t play here.)
In the offline world, curiosity is usually seen as a good thing – a sign of initiative. It’s just a shame that for email users, inquisitiveness is more likely to get you into a heap of trouble.