Catches of the month: Phishing scams for May 2021

Welcome to May’s round-up of phishing scams. This month, we look at a scam imitating SharePoint that has bypassed Microsoft’s secure email gateway, and investigate the damaging effects of a data breach at a cryptocurrency platform.

SharePoint users caught out by ‘urgent’ signature request

SharePoint users are being warned about targeted phishing attacks that claim users must urgently provide a signature on a document.

The researchers at Cofense who discovered the scam said it could be particularly dangerous given how many people are working remotely and rely on SharePoint.

Moreover, the link itself looks realistic, and could catch out anyone who isn’t familiar with the signs of a phishing email.

Although the message that accompanies the link is poorly written, many readers won’t pay close attention and will instead focus on the SharePoint link, which is free of grammatical errors.

But even if readers don’t spot this clue, their suspicions should be aroused by the fact that the sender hasn’t addressed the recipient by name. As Cofense notes, this is a clear sign of a mass-distributed campaign and not an urgent message to a specific individual.

Another sign that the email is bogus is that the “View Documents” link doesn’t direct readers to a SharePoint site but instead to “sipeslake.xyz”.

Those who follow the link will see a pop-up that uses SharePoint’s branding and asks them to provide their login credentials.

This should be the biggest red flag, because the website asks for the user’s email address and password. If the organisation uses SharePoint, their account is almost certainly linked to their email, which would mean there’s no need to supply login details.

Despite the numerous signs that this is a scam, many people are falling victim. This demonstrates how difficult it is to train employees to spot phishing scams, and highlights why cyber criminals use phishing so often.


Test your employees’ ability to detect a scam with our simulated phishing attack

Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.

This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?


Breach at cryptocurrency platform Celsius leads to phishing attacks

Phishing is at its most dangerous when attackers use personal details that have been siphoned from a specific source – and that’s exactly what happened to Celsius Network users in April.

The cryptocurrency platform confirmed that a third-party marketing server had been compromised, with threat actors accessing a list of customers.

Celsius CEO Alex Mashinsky said: “An unauthorized party managed to gain access to a back-up third-party email distribution system which had connections to a partial customer email list.

“Once inside the system, this unauthorized party sent a fraudulent email announcement, of which we know some of the recipients to be Celsius customers.”

The scammer’s message claimed that the organisation was giving away $500 in cryptocurrency to anyone who followed an attached link.

Those who complied were directed to a mock-up of Celsius’s site and asked to provide their login details, which would give the attackers access to the users’ cryptocurrency assets.

Attacks like these are so dangerous because fraudsters can create specific, tailored scams. Everyone who received that message was a Celsius user, meaning everyone was a potential victim.

It removes the biggest clue to spotting scams – receiving messages from companies you don’t use. If you get an email supposedly from PayPal but you don’t have a PayPal account, you know instantly that it’s a scam.

That’s why attackers usually target large brands, such as PayPal or Microsoft. The more people who use the service, the more potential victims there are.

By contrast, it’s easy to assume that an attacker wouldn’t imitate a relatively small cryptocurrency platform such as Celsius. As such, you may be less suspicious when you receive an otherwise questionable message.

As this story demonstrates, it pays to be vigilant at all times. No matter who the sender is, you must remember that if the message sounds too good to be true, it probably is.

If you’re in any doubt over its validity, you should visit the organisation’s website (but don’t follow the link in the message) or contact them directly (but don’t use any contact details in the message) to query it.

Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.