Monday afternoon, I received a call from a concerned client. I thought, is it a client if it’s your son and he doesn’t pay? Anyway, he told me, “I just got an email from you that I don’t think I’m supposed to see.”
After describing the message sent from Notice on Behalf of Slingshot Information Systems with no displayed “from” email address and a lengthy but tempting subject: COMPLETE: Signature Requested on Slingshot Information Systems, Inc. Employee Benefits & Salary Adjustment Review 2024.pdf on May 13, 2024.
I told him it’s not from us.
What Went Right?
· An unusual message from what appeared to be a known sender triggered caution.
· He didn’t rush to open the attachment.
· He called the advertised sender directly to verify.
Malicious Phishing Emails are a Persistent Threat
The lack of a visible sender’s email address made this scam a little more time-consuming to invalidate. We often see messages from familiar names, but when you look at the address, it’s something similar from an unknown domain. Instead of my email from slingshotis.com, it might be Slingshot254@gmail.com. Those are easy to identify as fraudulent and then delete.
I pulled the original message from Nick’s mailbox. When we extracted and reviewed the message header information, it was apparent that it wasn’t from us. We knew that, but we were interested in studying the scam. The image below shows the actual sender.
I moved the file to our sandboxed, testing virtual computer, where it could do no harm, and opened the attached PDF. It contained a spoofed Microsoft web page with a button that led to a URL that was not Microsoft. Malicious content could be downloaded, or a fake login screen would collect the victim’s email credentials for further exploits.
A Link Too Far
The link is the bait, and the download service it points to is the hook. It’s usually a familiar name, a service you trust, but something is amiss. The URL is slightly off, and the website’s design is not quite right. Below is the phisher’s realm, a replica designed to deceive and ensnare.
Our Web Security blocked me with a Malware and Phishing warning to prevent me from going further. I’d seen enough of this phisher spoof of Slingshot anyway.
The Masquerade of Legitimacy
These emails are dangerous because they appear legitimate. Without a sender’s address, there’s no immediate tip-off to doubt their authenticity. The cybercriminal counts on your curiosity, need for closure, and trust in familiar brands. They exploit the human tendency to seek patterns and fill in the blanks, leading you to rationalize the email’s presence in your inbox.
Guarding Against the Attack
Protecting yourself from these hackers requires vigilance and a healthy dose of skepticism. Here are strategies to harden your defenses:
Verify Before You Trust: If an email does not include the sender’s address, verify its contents through other means. Contact the supposed service provider directly using contact information obtained from their official website.
Educate Your Instincts: Familiarize yourself with the hallmarks of phishing attempts. Look for misspellings, generic greetings, and urgent calls to action.
Use Technology Wisely: Employ email filters, antivirus programs, and web browser extensions that help detect and block phishing attempts.
Report your Concerns: If you encounter a phishing email, report it to your IT Admins. By doing so, you help build a collective defense against these threats.
Conclusion
The sense that a message is not real reminds us that not everything is as it first appears. If something feels off, it probably is. Slow down, stay alert, stay informed, and stay secure.
Slingshot Can Help
Our clients can get fast support via our helpdesk.
Does your organization need an IT Support Provider to ensure its security? Contact Slingshot today for a no-charge review.