Estimated difficulty: 💜🤍🤍🤍🤍
I am sure many of you have heard of the term ‘phishing‘. Phishing is a form of social engineering, where the campaign is likely to pose as a trusted service or person, which may trick a user into giving away credentials, money or personal identifiable information. The phishing campaign is likely to pose as a trusted service or person.
This post is going to look at a real phishing email and pick it a part, so we can really channel the mindset of a criminal. It will talk about some of the red flags to look out for in phishing emails and ways in which a scammer may approach you.
Context
Why are we talking about this? Well like many others, I was the target of a phishing campaign. This came about from wanting to sell my desk on Facebook Marketplace. Marketplace is where people can search through your advertisements and message you about your items. Usually a sale is cash in hand and you will arrange a time and date for when to pick up the item.
In my case, I was contacted by someone through Facebook Marketplace messenger, by someone asking if the item was still available. This is the normal way of enquiring, so no red flags at this point.
Every time a new person would message I would look at their profile to see if they look legitimate. One red flag for fake accounts are constantly changing profile pictures, or very generic and basic profiles. The profile of my scammer looked fairly generic, however there was content posted about their son, which made it seem more trustworthy.
Social Engineering
The social engineering of this scam was done via the messaging. The scammer approached the situation asking if he could get a courier to pick up the item, rather than coming themselves. I did not initially think much of this, due to lack of experience selling on the site, however, I did question how the payment would be made. Check out the below messages.
The initial message mentioned that he would organise a GLS courier to pay for and pick up the item. In hindsight, if you give this a Google there are known phishing scams, where people mention they will use this service to pick up the item. At this point, there was no reason for me to question this, so I was, for want of a better word… hooked! The messages continued!
As you can see, there was then additional mention of insurance costs that were covered by him in an envelope, but I might have to then make the initial payment. This was one of the major RED flags for me at this point, however, due to the broken English, it was difficult to understand the intentions, so I pursued with additional questions. At this point they already had my email to ‘arrange the collection’.
Here you can see that the scammer has pointed me to my spam inbox. Let’s be real, this was immediately dodgy and confirmed my suspicions that this was not a legitimate person trying to purchase the desk.
As soon as I realised the email was spam, and phishing email (luckily without clicking any links), I Googled GLS and low and behold they already knew about the scams. In this case I was targeting by a ‘parcel agent’ scam.
Warning about ‘parcel agent’ job offers
Criminals who order goods online using false identities and illegally-obtained credit-card data have recently increased their efforts to recruit so-called ‘parcel agents’. The work is usually offered as a part-time job and involves accepting parcels and forwarding them to other addresses, often abroad. The aim is to hide the final location of the fraudulently obtained goods. Police are warning against accepting job offers as a parcel agent. This supposedly lucrative side job means getting involved with fraudulent activity and money laundering – with legal and financial consequences.
gls-group.com
It is safe to say the account was reported and blocked, leaving him asking about the email.
From this point onwards there were a number of things I looked into about the email, more out of curiosity than anything! Check it out in the following section.
The Phishing Email
So the email went to spam? Straight away you want to look at where the email was from.
In my case, the email was sent by ‘serviceglsexpress2025@gmail.com’. There are a number of things wrong with this:
- The name does not sound professional.
- The domain is @gmail.com – anyone can create new accounts. We would expect an email to look like @gls-group.com, which is the legitimate domain of GLS.
- The email is similar to messages previously reported as spam.
From the get-go we know this is not okay, so let’s dig a bit deeper into the meat and bones of the email.
Initially we can see some obvious issues with the email:
- The fonts are unprofessional, different sizes and different colours.
- The address field is in French, which could indicate a mistake has been made when copying from some template.
- The person ‘buying’ the item has been addressed as Mrs, when they identify as a man in their Facebook profile.
Further into the email, you can see they have attached a link for you to pay for the insurance.
The link does not relate to GLS and we can analyse it further! DISCLAIMER! The link was not clicked at any point. The link was copied and pasted into VirusTotal to identify if any security engines had flagged it as malicious and pasted into urlscan.io, to see where the link redirects you, and the Wayback Machine to view any previous pages.
VirusTotal
There were no results in VirusTotal. Turns out they linked to a site called Rechargeable, used to send people digital credit, that is actually legitimate.
From the search results we can see more information about what the site is, and what it does.
It looks like the scammer is looking for a ‘quick win’ one-off payment to make money fast. They are hoping you fall for the scam and pay out the insurance cost. The attack looks to be generic and not very targeted, unlike other phishing scams otherwise known as spear phishing or whaling, which are used to target specific people to get information.
URL Scan
URL Scan will show us if there are any redirects from navigating to the link and what the contents of the page is once it is loaded, without having to actually click on the link. In this case, there were no re
The page brings up a payment page, totalled at the price the scammer wanted for the ‘insurance’ of the shipping.
Wayback Machine
There were no previous entries of the site in the Wayback Machine, however, this could be a handy tool to use if you do look into legitimate phishing websites.
Takeaway
Based on this, I have compiled a number of things to look out for, in case you are ever in the same situation as me!
- Does their profile look legitimate?
- Do their messages seemed, rushed or pressured?
- Has the email gone to your inbox, or to spam and junk?
- Check the origin of the email. Has it been sent from a trusted domain?
- Does the link correspond to the services legitimate domain?
So now we know what to look out for, what should you do if you click the link? Step 1) Try not to panic. If you keep calm, you can deal with the situation a lot easier. Scammers want you to feel unsettled. Step 2) Access the damage done. What information do they have? Can you change this information? E.g. do they have your password, or credit card numbers. If yes, change your password or freeze your cards. Step 3) Tell someone. There is no need to be embarrassed. This can happen to anyone. Report the incident so others can be aware of potential attacks going around. If this is a work related incident then you will likely have an IT department you can tell. They may need to take further actions depending on the severity of the incident. Finally, step 4) be cautious. Since your email is likely out there, make sure you are expecting the emails being delivered to you and air with a side of caution when clicking on any links.
This was a little bit of a different one from me! I hope you enjoyed hearing about my experience encountering a phish.
I wanted to share my experience, to normalise and teach others how to react if ever encountering any phishing scams. It is all part and parcel of another day being on the wild wild web.
Sarah <3
Extremely useful guide, thank you for posting this!!
I’m so glad you found it helpful!
Very useful information.
Usually I check the origin of the email, and do Email Header Analysing.