Here are the best and worst phish we’ve seen lately – send us some of the best and worst you’ve seen!
Unfortunately phishing has become so prevalent that most of us have grown sort of jaded. Case in point, we pass around phish at our office. It’s not uncommon to get an email from a coworker with a subject line like “check out teh pheesh” and a screenshot of a questionably worded request to change a password or some such nonsense.
Even referring to them as phish kind of undermines what a pernicious threat phishing actually is.
Still, call it gallows humor, but sometimes phishing emails can be objectively funny. And sometimes they can be deathly serious – when they’re constructed well enough to be convincing.
So, today, we’re going to look at some phishing email examples – the best and the worst. And then we want to hear from you, at the end we’ll ask you to send some of your best and/or worst phish and we’ll all learn from and/or have a laugh at them, too.
Let’s hash it out.
Phishing Email Examples: The Best
Now, before we go any further – and for the sake of our comments section – we are by no means saying any of these are the greatest or worst of all-time. I would be skeptical of anyone who claimed they could make that evaluation. And I’m not sure what criteria it would even be based on. If you removed anything with a trace of subjectivity you would have to quantify it in actual damage caused and in some cases, like John Podesta and the Democratic National Committee, you really can’t put a number on that kind of damage.
My point is don’t overthink this. These are archetypal in nature. Meant to illustrate the kinds of tactics that phishers use. They’re also taken from our own email servers. This is what phishing looks like in the wild.
With that out of the way, let’s looking at some phishing email examples.
This is an example of brand phishing, in this case the phish is imitating a Rackspace email. We happen to use Rackspace, so this had the potential to pique the right person’s interest. It also requires immediate attention, which tries to force a sense of urgency.
Where it falls apart is in the from: field and the link URL. Let’s start with the sender. Rackspace is very clear about the servers it delivers mail from. This isn’t one of them. That was enough to get it flagged by our filters. But beyond that, the from name isn’t quite right (it uses alpha characters instead of “a”) and the url it links to isn’t rackspace.com.
The url is pretty sneaky, though. At cursory glance, it almost looks like a valid Rackspace URL:
Here’s another example:
Again, this looks to create urgency about an expiring account, but if you stop for a second you’ll notice that no where included in this colorful correspondence is any mention of what the expiring account IS. It just says “Computer security account” in the signature. That’s actually helpful in its unhelpfulness. This is clearly a phish.
Posing as a job applicant
If you ever were, or have just spent time around a middle school-aged boy, the name of the sender would give this away immediately. But, assuming your purity of mind and heart allowed you to miss that, the premise here is actually pretty ingenious. If a company has posted job listings on websites like Indeed or LinkedIn, shoot them an email with a malicious payload masquerading as a resume.
Or in the case of Shona’s resume, maybe just a headshot.
Here’s another one with a less egregious name, though it’s sent to an email address that an applicant wouldn’t use, much less even have.
Notice the filters caught the malware and renamed the attachment rather un-suspiciously. I think this is one case where if an employee still opens it you’re legally sanctioned to load them into a cannon and fire them into the sun.
Posing as an angry customer
Nobody wants to be accused of billing a customer twice. That’s something that needs to be addressed immediately so this is definitely effective in terms of creating urgency. And when it’s a “customer,” unless the sender: and from: fields don’t match, it can be tough to rule a whole lot out by domain and TLD.
But there are a couple of things that give this away. For one, every sentence or so you get two words concatenated. That’s a formatting error caused by copy/pasting between differently encoded applications. That’s never a good sign. Also, who sends a link to their bank statement? That’s phishy, too. But the real tell is there’s no contact information given beyond “Al Scogin” and the email address this came from. That speaks to the sender’s intent, which isn’t to recoup a financial loss so much as to get you to click a link. Phish.
Ok, now let’s look at some bad examples because those are way more fun. We’ll update our best phish section as we see some better phish. As you’re about to see, a lot of this is just garbage.
Phishing Email Examples: The Worst
You know how sometimes you CAN judge a book by its cover? The inverse makes for a good movie, but in real life a lot of the time stuff really is as bad as it looks. Sorry, kiddos.
Bad Brand Phishing
PayPal is one of the most oft-imitated brands in the world of Phishing, so if you want to PayPal phish, you better have your ducks in a row and make it look good.
This… is not that.
Ignoring for a second that PayPal would never bungle the aesthetics of an email this badly, let’s just admire the details here. The correspondence is addressed TO “paypal” for some reason. Then the second sentence is “you’ve chosen to explore a mighty network!” What the hell does that mean?! If someone says that to you on the street- you clock them and run in the other direction. Then there’s a praise emoji and a stalker-ish “I’ve-been-watching-you”-style sign off. Then a brand statement. What kind of psychopath wrote this email?
This one has a decent subject line and it purports to be from Rackspace but two words in we already know it’s BS. Also, it originated from ambergris.it? That’s not a Rackspace server. My favorite is the passive aggressive way Rackspace is allegedly telling the recipient to take care of their bill… “devote 2 minutes of your time and go on our page to settle your bill.”
Very on-brand. (So there is no ambiguity, this is sarcasm. Though we pay our bills on time I’m sure there is no such passive aggression on Rackspace’s part in the event things are past due.)
The original fake news: sending someone an advertisement that’s really just trying to steal their info or give them malware. Here’s an example:
The sender: and from: field are actually believable enough, ABC always sounds like a legitimate enterprise. And it says “ABC Today News Special,” which most people in the US (and Australia) associate with a TV network. Then things go downhill. “Incredilbe.” This is such a weird mistake that I actually Googled it just to make sure it wasn’t a cognate, and that’s just how another language spells it and… no. After clicking through Google’s “suggested spelling” all I found was a bunch of travel reviews left by orthographically-challenged (idiot) tourists. Actually, they say spelling isn’t a function of intelligence, but there’s a threshold at which point it’s hard to argue it isn’t at least a little bit indicative of it. Or a lack of it. Also, who uses Bing Maps?
Anyway, the rest of the email does itself no favors, either. Clearly a phish.
Pose as a Hacker
A lot of people don’t know a whole lot about computers and networks and cybersecurity, which paints hackers in a rather fictional light. And to make things worse the media does a really poor job of covering cybersecurity topics, which scares up a whole host of other problems.
Criminals know this, and they are more than happy to prey on those fears.
This next email has some NSFW language. Ohh, I probably should have mentioned that earlier, too (looking at you, Shona), but we’re all adults here so let’s continue.
This is actually one in a string of clearly-automated emails that escalated over the course of a few weeks. Regrettably, I emptied my junk folder and deleted the first few before starting this article, but you can probably gather the substance and gravity of the first few from this one.
Right away, you can tell this is a phish. First of all, Mr. Retention doesn’t have a social life. Mr. Retention is not even a person. Mr. Retention is a deprecated mail alias (apparently one with too much time on his hands). You can tell this is automated from the get-go.
And I think there’s a foundational flaw in the logic behind this whole endeavor, which is that the type of person that might be scared into believing this definitely has no idea how to buy Bitcoin.
In fact, asking such a naive, impressionable individual to even try to obtain Bitcoin is like sending a sheep into a lion’s den. They’ll have their money, their home and all their credit sucked out of them way before you ever see your $2,000’s worth.
Here’s the same thing in German. Same disclaimer applies. NSFW language (if you’re German).
Here’s another one with some slightly different language, but all the same anger and scaremongering we’ve come to love:
C’mon, Mr. Retention. We’re going to have to take away your internet access, aren’t we?
Send us your best and worst phish!
We want to see YOUR best phish. Hang on, let’s reword that. If anyone sends you or your company a particularly good phish – really convincing ones or comically bad ones – take a screenshot and send it to HashedOut@TheSSLStore.com. Just make sure to cover up anything you don’t want the world to see. Probably best to rephrase that, too. If there are any recipients, email addresses or proprietary information included on the screenshot make sure to obscure it before sending it.
And check back here periodically, we’ll update this article regularly as more and more phish swim our way.
As always, leave any comments or questions below…