Gone phishing

Okay, I got hooked! A couple of years ago, I fell for a phishing scheme. I was exchanging emails with a supply partner of ours about a service we were considering offering. For us to become an authorized reseller of the service, I would have to sign a document.

When I received an email from the partner requesting that I log into my Microsoft account to retrieve the document, I did so without hesitation. In the process, I had inadvertently participated in a phishing scheme. I had entered my Microsoft login credentials, which in turn, exposed my Outlook contact list. Many of my customers immediately began to see inappropriate emails from me appear in their inboxes! My customer’s own IT service provider was spamming them! Needless to say, that was frustrating for our customers and an embarrassment for us.  

In this case, the partner’s email account had been hacked, setting off a series of phishing actions that impacted her contacts and those of her contacts that had fallen for the scheme as I had. Hundreds, if not thousands, of businesses and individuals had been inconvenienced and perhaps had suffered financially from a single compromise of someone’s email account. No one but the originator had any malice in mind, but all others involved felt the pain!  

The week of September 26, 2020, I began to receive emails appearing to be requests to pay invoices through Intuit. As I was not expecting these, I became suspicious and asked my staff if they had received any like these and learned that they all had. Perhaps you, too, received emails such as these; hopefully, you did not respond to them. The header in the email is Services quickbooks@notification.intuit.com. 

How can one tell a phishing email from a legitimate one? First, if the email asks you to take action, such as clicking a link, is this something you expected? Let’s take the example of the phishing scheme I fell for. Yes, I was eventually expected to sign something, but my partner had not asked me to yet. So why did I follow the instructions in the email when it was not time to do so? I was distracted, trying to do too many things at once. OK. Let’s give me a pass on that one. But why would she ask me to sign in to my Microsoft account to sign a document? She would not. Again, me being distracted was just what the “Phisher” was hoping for. If I had been paying attention to the conversation at hand, I would have questioned “her” email.  

How about the fake Intuit emails? How did my staff and I conclude these were fakes? First, they were not expected. Yes, we do have some cases where we pay invoices online due to receiving an email, but they are identifiable by having the name of the company sending the invoice, usually in the header of the email. Here are two examples of emails requesting payment:  

• Services quickbooks@notification.intuit.com
• TeamLogic IT, OKC quickbooks@notification.intuit.com

Which one looks legitimate to you? Does “Services” look like a company name?  

Other clues for phishing emails are 

• Generic salutations: “Dear Customer” for example
• The sender’s fake email address – hover your mouse over the “from” email address and look for suspicious information, misspellings, etc.
• Attachments that aren’t expected. 
• Asking for the unexpected – why are you being requested to send information or make a payment

Please don’t do like I did and fall for a phishing scheme. Be suspicious rather than sorry.