Catches of the month: Phishing scams for September 2019

We’re back for another round-up of phishing scams that caught our eye over the past month. This series provides real-life examples of phishing emails, helping you understand how they work and what you should do to avoid falling victim.

You can check out last month’s list if you missed it. In the meantime, let’s get to September’s catches of the month:

  1. Yahoo Mail customers targeted by Apple scam

It’s never a surprise to hear that Yahoo is implicated in a cyber security scam. Ever since the organisation breached all 3 billion of its users’ information, its email platform has been a hotbed for phishing scams.

Here’s an example of a phishing scam Yahoo Mail customers received this month:

apple phishing email

The message isn’t particularly convincing, and we’d expect anyone familiar with phishing scams to spot the clues.

For example, although the email appears to come from ‘Apple ID’, the email address is a long string of letters and numbers that has nothing to do with Apple. Any genuine message would come from appleid@id[.]apple[.]com.

Other clues include the fact that it addresses the recipient by their email address rather than their name, and that the attached link doesn’t go to, as it implies, but a website whose domain is registered in Montenegro.

Finally, there’s the content of the message itself. It’s poorly written and uses the classic ticking time-bomb narrative, giving recipients 24 hours to click the link or their account will be disabled.

This is a favourite tactic of scammers, as it makes recipients more likely to panic and click the link immediately, rather than taking the time to examine the message properly or putting it off until they next need to use their Apple account.

The simplicity of this scam suggests that the phishers were going for quantity over quality. With more thought, they could have personalised the messaged by including users’ names.

If they’d got the email addresses from the breached Yahoo databases, they’d have this information to hand. Even if they hadn’t, many people’s email addresses contain their full name, so it would be easy to add.

However, there’s no need to go to all that effort if you’re confident that a handful of people will fall victim to a scam that takes minimal effort. The most likely victims tend to be older people, who don’t stay up to date with cyber security issues.

And who are the most common Yahoo users? Those who are 50 and older. The majority of their customer base would have created their email address 20 or so years ago, when Yahoo was the dominant email provider, and didn’t go to an alternative after the full extent of the organisation’s security errors were unearthed.

  1. United Rentals customers caught out by hijacked email account

The security researcher Brian Krebs reported on a curious phishing scam that targeted Connecticut-based United Rentals.

On 21 August, several people claimed that they’d received invoices from United Rentals that contained an infected attachment and malicious link. When the customers opened the attachment or clicked the link, a banking Trojan was downloaded.

phishing email


This is standard practice for phishing scams, but what made the scheme stand out is that the malicious link comes from United Rentals’ own website.

How did the scammers achieve this?

“Based on current knowledge, we believe that an unauthorized party gained access to a vendor platform United Rentals uses in connection with designing and executing email campaigns,” the organisation said in a statement.

“While our investigation is continuing, we currently have no reason to believe that there was unauthorized access to the United Rentals systems used by customers, or to any internal United Rentals systems,” it added.

Instead, it appears that the scammers infiltrated Pardot, an email marketing division of the Cloud-based CRM (customer relationship management) firm Salesforce.

Krebs explains that organisations sometimes dedicate a domain or subdomain that they own, which is used by their Cloud-based CRM. This enables the CRM to send emails that appear to come directly from the client.

Cyber criminals are therefore targeting CRM providers, because compromised accounts on these systems can be used to conduct highly targeted and convincing phishing attacks.

Well done to the users who discovered that something was amiss with the United Rentals email, as this scam would otherwise have had a much longer lifespan.

  1. Utility providers targeted with spyware

Utility providers were caught out by a rudimentary phishing scam involving a shoe retailer and a former member of the pop group McFly.

The scam email is short, with someone called ‘Adam’ providing a PDF attachment containing remittance advice. This is despite the fact that the email comes from Friary Shoes.

The domain used in the message (friaryshoes[.]co[.]uk) is no longer active, but a Google search reveals that it belonged to a Lichfield-based shoe seller.

friary phishing email

Why would a shoe seller be giving financial advice to a utility company?

The most likely answer is that a criminal compromised the organisation’s domain while looking for legitimate email addresses that would pass through spam filters. The host for Friary Shoes probably didn’t prioritise cyber security, as it seemed unlikely that a criminal hacker would infiltrate a site that received such little traffic.

Meanwhile, the attacker worked on the assumption that recipients of the scam wouldn’t notice the email address.

The attached name, which is blanked in this screenshot but would normally appear prominently to the left of the email address and in the inbox itself, would likely have referred to an organisation or a person’s name.

A similar issue probably occurred at fletcherspecs[.]co[.]uk, the site that – at the time this scam was active – hosted the malware hidden in the PDF attachment. However, it appears to have once been linked to Tom Fletcher, the former lead singer of McFly.

Once users click the attachment, it unleashes Adwind, a type of spyware that:

  • Takes screenshots;
  • Harvests credentials from Chrome, Internet Explorer and Microsoft Edge;
  • Records video and audio;
  • Takes photos;
  • Steals files;
  • Performs keylogging;
  • Reads emails; and
  • Steals VPN certificates.

Experts found that Adwind was available as Spyware as a Service, meaning anyone willing to pay for it could use the malware to target organisations.

Protect your organisation

As we’ve shown here, there are many ways you can fall victim to phishing scams, but just as many ways to protect yourself.

However, the common denominator is your staff. They are the ones who are targeted, and once they open a phishing email, the only thing preventing a data breach is their ability to spot that it’s a scam.

Fortunately, there are always clues that reveal the true nature of malicious emails, and our Phishing Staff Awareness E-Learning Course teaches you how to spot them.

This 45-minute course uses examples like the ones above to explain how phishing emails work, the clues to look for and the steps to take to avoid falling victim.

Find out more



  1. Pete Austin 12th September 2019
    • Luke Irwin 12th September 2019