Email Scammers Get Clever With Outlook Phishing Trick

Why email scams are getting harder to spot: Internet Scambusters #941

With more than two million new email scams appearing every minute, there’s a growing danger of being caught out via a phishing trick if one lands in your inbox.

Case in point — a smart con trick aimed at users of Microsoft’s online Outlook app.

In this week’s issue, we’ll show how this works and give you a stack of tips on how to spot and avoid this and other email scams.

Let’s get started…


Email Scammers Get Clever With Outlook Phishing Trick


Email scams are a dime a dozen. Ever since we started using digital messaging, scammers have been on our tails, using email to try to steal information and trick us into sending money, or even into spreading fake news.

But what has changed over the years is the sophistication of these scams, the way crooks try to trick us into believing that the message they sent is genuine.

For instance, they’ve improved the spelling and grammar. Earlier messages were so poorly worded, it used to be a dead giveaway for a fake message. So, the scammers have turned to trying to exploit our own increased wariness and understanding of what goes on in the background of the emails we receive.

A good case in point is a message sent to users of Microsoft’s Outlook web app (OWA), the Internet version of the email client often used by small businesses and people on the move.

The scam is really a phishing trick that aims to steal the user’s sign-on details, but it uses a ploy that mimics a genuine alert that many of us are used to seeing.

The message looks like an alert from your own email account bearing a Microsoft Exchange logo. Exchange is the server Microsoft uses for online email services.

The message tells the user that Microsoft has hit difficulties delivering emails to their account. But the good news, says the message, is that you can fix the error yourself.

Did you see that? Three ways of making the email convincing: first, it looks like it came from Microsoft and is part of the Outlook service; second, it uses a well-known tactic of notifying the user of a delivery problem, of the automated sort we’ve all seen before; and third, it says you can fix it yourself, another familiar action we’re used to seeing in alerts.

Furthermore, if the user clicks the ‘fix’ link, they’re taken to what looks like a Microsoft OWA page with their name already inserted in the username box. All they have to do is enter the password.

A Twist of Authenticity

To add an extra twist of authenticity, when the password is entered, the page returns an error message saying it’s incorrect and asking for it to be re-entered. Then, after the password is re-typed, the user is taken to a genuine Microsoft page about Outlook.

This is sufficient to allay any suspicions the user might have, which might otherwise tempt them to change their password before the scammer has time to use it. In the case of businesses, this could enable the crook to find their way onto company servers.

But the scam works equally well for individual users. Once a crook has your sign-on details, they can wreak all sorts of havoc — especially if you unwisely use the same password on multiple accounts.

Security firm Sophos, who identified the tactic recently, suggests some of the actions you can take to avoid this and other email scams:

  • Verify links by hovering your cursor over it to see a pop-up showing where it’s really headed.
  • If/when you get there, check the address shown in your browser. Is it a genuine Microsoft page or any other page you expected to visit?
  • Even then, you should be extremely cautious about logging in on *any* page you arrived at via a link.
  • Never change your security setting because of instructions in an email.
  • Change your password immediately if you suspect you may have been phished.

For the full report from Sophos, see Outlook “mail issues” phishing – don’t fall for this scam!

7 More Ways to Spot Email Phishing Scams

According to the FBI, Americans lose more than $50 million every year through phishing scams. Usually, emails pretend to be from an organization you know and often they are indistinguishable from the real thing.

Then, they set a trap by spinning a convincing story or explanation for writing. For example, they may say:

  1. Suspicious activity has been spotted on your account.
  2. An unrecognized person has tried to log on to your account.
  3. There’s a problem with your account or payment details.
  4. You can get coupons or free stuff by clicking a link.
  5. You must pay your account immediately, often via a supposed invoice attachment.
  6. You have to register for a benefit, such as a government refund.
  7. Your account has been locked and you need to confirm personal info.

The US Federal Trade Commission (FTC) says the best ways to avoid getting snared in one of these scams are to use and update security software, set other software to update automatically, employ multif-actor or two-factor authentication — that is, using a second code or password to confirm it’s really you — and back up your data.

When you receive an email that asks you to take action, it’s good practice to ask yourself whether you know the organization or individual who supposedly sent the message.

If the answer is No, then it could be a scam. Don’t reply with any confidential information. If the answer is Yes, you do know them, contact the company using a phone number or address you know is genuine and check with them.

More than 300 billion emails are sent globally every day — yes, every day — and the number continues to grow. Experts say one in every hundred is a phony.

That may not sound a lot, but it nets out at more than 3 billion potential email scams every 24 hours, or more than two million every minute. Be warned!

Alert of the Week

In these troubled times, more people than ever are hunting for jobs and finding themselves trapped in employment scams.

In a recent case, a would-be account manager was offered $85,000 a year for little more than an hour’s work per day.

Jobs that offer crazily mouthwatering money are usually scams. So are those that ask you to pay money upfront and unsolicited offers that are made without an interview or checking your credentials. Same goes for organizations that don’t provide verifiable contact details.

Spend an hour checking them out first and save yourself the heartache later.

That’s it for today — we hope you enjoy your week!