publishing date icon
March 21, 2022
read time icon
5 min. read

The dangers of fax phishing

Fax phishing takes the one advantage of antiquated fax machine technology--good security--and spoofs email notifications from e-fax services to turn faxes into yet another opportunity for attackers to harvest credentials from victims.

Author image
Patrik Sulander
Junior Threat Analyst
Post hero image

Table of contents

share this post

You’re joking, right? We can get phished with a fax? Come on. Fax machines? Should we be wary of Speak & Spells, telegraphs, and betamax video while we’re at it?

Believe it or not, faxing is still a vital communication method for many organizations today. Fax machines are used routinely in sectors like law enforcement and healthcare due to strict legal provisions surrounding transfer of sensitive data (and perhaps, a reluctance to change). Fax phishing involves a modern digital component; there’s more than just a piece of paper being printed out on one fax machine from information sent through phone lines by another fax machine.

We have been monitoring phishing campaigns containing personalized e-Faxes. The attacker seeks to trick recipients with an email notification that they have received a fax. The goal is to deceive recipients into opening the attached file and enter their login credentials on a credential harvesting site posing as a legitimate e-Fax service.

These fake sites send the stolen credentials to a server controlled by the attacker. Mostly containing spoofed URL addresses, the emails usually (but not always) impersonate services like eFax or other free fax services that make it easy to receive or send faxes via email.

These fax phishes use many different email templates to achieve the same goal: to steal people’s username and password.  

E-fax  or online fax

Faxes adapt. Invented in 1846 by Alexander Bain and popularized in the 1970s before reaching their high-water mark in 1997, faxes actually do contain some security advantages over email. Faxes are malware-free and it’s harder to hack into a system through a phone line than through the internet. But if you don’t have a fax machine--and most of us don’t--you can’t fax.

So faxes have adapted with the times. In our age of email, online services can convert faxes into an email format so that you can send a fax the same way you’d send an email. These e-faxes can be sent using email accounts from any email provider.

Advantages of e-faxes:

  • It removes the need for fax hardware
  • Works with all email providers
  • Faster communication
  • Cost-effective
  • Paperless
  • Easy to use

e-Fax Emails

The scary part is that fax phishes are mostly sent from compromised accounts. They’re rarely sent from  common Hotmail and Gmail addresses, as the fax phishing attack seeks trusted status in order to bypass email filters and evade “spam” boxes. Attackers are also using seemingly legitimate sources for branding and camouflaging the emails with a false sense of authenticity and security. Here are a couple of examples:

The common element in these real-life fax phishes is a small picture of the “fax” that the recipient supposedly received. Curiosity naturally draws attention to an attachment, and attackers are trying to get people to act on that curiosity (“Click the attachment”, “Open e-fax”, “View PDF”) by not revealing too much information about the fax itself.  

Branding is a big part of these emails' effectiveness. The messages' subtle details like size, format, fax ID, and reference number make them look more legitimate. Rarely do these attacks have just one big button in the email body.

What happens after clicking links or attachment?

The URLs and .html files of a fax phish redirect the user, typically, to a spoofed Microsoft Office 365 login page, which is actually a credential harvesting page.  They also often use breached blog pages (Wordpress etc.) and APIs (are you robot?) to increase the likelihood of the victim acting. Attacks could contain malicious zip files as well, but I have personally seen only .html and link redirects to harvesting pages.

Attackers use the credentials they’ve harvested and the accounts they’ve compromised for new impersonation attacks to continue the campaign, or they will sell the victims' data on the black market. It’s also important to know that attackers could use those login credentials to try to log in to to other platform accounts as well.

That’s why it is important to user different passwords on different services!

Why fax phish campaigns work  

  • Phish attack in schools: Attackers do not target just one victim. They send the same message in a large-scale campaign to thousands of different recipients. A success rate of just 1 percent is high enough to turn a profit.
  • Curiosity phished the cat: The email itself has just enough information about the fax to arouse curiosity towards seeing what it’s all about.
  • Looks legit: Real links added to the email body make it look more legitimate.

How to spot phish from faxes

  • Spelling and grammar errors.
  • Sender address usually directs to a small company you probably have never heard of.
  • Weird web address: Always check the URL on sites that require log in.
  • Email greeting is really generic: “Dear user” should raise suspicions that it’s a mass campaign.
  • If not 100 percent sure, try to explore the fax from their website directly.

Hoxhunt response

We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber war dimension. Fallout will seep into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Pop quiz: What is the most meaningful security training metric? If you said "failure," you just failed. But that's OK! Failure is a misleading metric. We analyzed 1.6 million users' responses to 24.7 million phishing simulations to bring infosec leaders a host of insights into phishing training. The findings are pretty wild, and extremely useful. Click here or on the image above to read more!
Subscribe to Threat Feed

Subscribe to Hoxhunt's Threat Feed to get the latest phishing threats delivered to your inbox, every Friday.

Form CTA

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.