This morning, a few of us here at OpenDNS HQ received an email we determined to be a phishing attempt. This happens for us just as frequently as it happens for everybody else but, in this case, the email looked convincing enough that we thought we’d share it here on the blog, along with some tips for detecting similarly polished phishing attempts in the future.
Here’s a screencap of the email I received from Google AdWords notifying me that I need to log in to my account immediately to ensure our OpenDNS ads are running. I’ve highlighted some features the scammers used to make the email seem legitimate, along with some message details we used to confirm this email as a phishing attempt.
First, the email uses the standard Google logo, fonts, and color scheme, along with the actual email address Google AdWords uses to send regular account notifications (firstname.lastname@example.org). It’s important to note that anyone can change the “reply-to” address of an email, so you should never use the reply-to or “from” email address to determine whether or not an email is legitimate.
At first glance, this seems like a real email from Google. Since I’m the guy who manages our AdWords campaign, I’m actually starting to get a little curious — did our ads turn off without my knowledge overnight?
But then I look closer. First, the body of the message has a few spelling and grammar mistakes — basic ones, like writing “cannot” as “can not,” and missing a few spaces between sentences. All stuff a large corporation (and their small army of proofreaders) would fix before sending this email out to the masses. I hover over the link “Click here to confirm that your campaigns are up and running 100% at this time.” to see where the link will take me — you should always check the URLs of links in emails before you click. Sure enough, it’s not a real Google website. Instead of a Web page at “google.com,” it wants to take me to a page hosted at “google-dn.com.” Now I know I’m definitely not clicking on that link!
In my email application, I click to view the message details. Just as I suspected, the email wasn’t sent by Google’s servers, but actually by “mail.wisenetworks.co.uk” — definitely not Google!
By now, I’m pretty confident that this email is a phishing scam. Still, I want to double-check, so I visit our AdWords account (not by clicking on the link in the email) and verify that everything is performing as it should, just as I suspected. From there, Laura and I head over to PhishTank.com and submit the phishing attempt, so other OpenDNS users won’t have to think twice about it!