publishing date icon
August 6, 2021
read time icon
5 min. read

Secure message phish: Login to get scammed

Author image
Patrik Sulander
Junior Threat Analyst Trainee
facebook iconLinkedin iconTwitter icon
Post hero image

Many industries today are taking advantage of secure messaging services to keep sensitive information safe throughout communications with customers via online portal. It's all done without having to pick up the phone or visit face-to-face. But cyber criminals are also taking advantage of these services. The rise in secure messaging services' popularity has come with a rise in secure messaging phishing email scams. Read on and learn how to stay off the hook!

What is a secure message phish?

Secure messaging services protect sensitive information sent beyond the safety of corporate borders. Secure messages are similar to online banking transactions in that they require identity verification, and all transactions are logged by the secure email platform. These services are particularly popular within industries that consistently handle sensitive data exchanges: Financial institutions, insurance companies and health organizations, to name a few.Secure messages are stored on a network or internet server, which are typically more physically secure than the cloud. The data is encrypted during transport. What could go wrong?Everything, if the secure message notification is actually a clever spoof.“Encrypted Message Received” subject lines are a common sight in inboxes. But cyber criminals are now crafting spoof emails claiming to contain documents available via secure message. This attack vector tricks people into entering their email credentials to login to read an encrypted message. This type of impersonation attack may also involve a message that appears to be from a trusted colleague, a third-party vendor, or other well-known companies to increase the false sense of authenticity.

Secure message phish 1
Secure message phish 2

Why the secure message phish is dangerous

Secured messages are commonly used in a remote work environment. Given the great shift to remote work globally, it’s no wonder  why attackers are nowadays taking greater advantage of them.Spoofed messages are designed to look legitimate, even featuring sender addresses that look as if they came from the legitimate institution. This might seem like a simplistic impersonation phishing attack, but criminals are exploiting this vector because it works. Secure message attacks follow the expected behavior patterns of the trusted institutions that are being mimicked, which can lower potential victims’ guard about ensuring it’s the real deal.

Secure message phish 3 Symantec

Secure message phishes get clicks by exploiting emotions such as fear and curiosity. It indeed arouses curiosity when a red-hot email with personally identifiable or confidential information is sitting in your inbox.It’s common knowledge that the most effective phishing attacks are the simplest. The aim for attackers is to reel in their victims in the shortest possible time with the least amount of complexity. But introducing more steps increases the sense of authenticity. In the offline world, curiosity is usually seen as a good thing. But unfortunately for email users, curiosity can kill the cat.

How secure message phishing attacks work

The body of the attack email mimics legitimate secure message notifications, prompting the user to click on the link to access the supposed message. Easy and dangerous. Victims are then brought to another page which includes a login form (most commonly a OneDrive login form) that asks you to login with your “professional email login.” Once you have entered your email login credentials, the attackers harvest that sensitive information and can take advantage of it by hijacking accounts.In some cases, the messages ask the victim to download an attached document, which contains the malicious payload. The malware could infect the organiztion’s whole operating system and cause massive destruction.

6 Tips to stay off the hook from secure message phishing scams

  • Make sure the overall appearance checks out (Does the email look professional? Is it actually relevant to you?)
  • If you aren’t expecting an encrypted email, don’t click on links or open documents before verifying with the sender.
  • Check the sender address is coming from a company email. (Is the company mentioned in the body?)
  • When receiving email that leads to login forms, make sure to examine the URL before entering your login credentials.
  • Login forms should always be treated with suspicion!
  • If there is any doubt about sender you can verify with them in another official channel!

It is always good to be a bit suspicious!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Subscribe to our newsletter