What's the best social engineering or phishing e-mail you seen?

Archaea

Archaea

[H]F Junkie
Joined
Oct 19, 2004
Messages
11,829
Discuss!

What's the best social engineering e-mail you've seen?

Free stuff always seems to work, Corporate crushes? Bank card declined etc...
 
The other day I got one as a paypal receipt. It looked pretty good, I bet my parents would fall for it.
 
Not Phishing, but we recently got a bunch of virii e-mails in the default format of Xerox scan-to-email MFPs, even with the right "from" e-mail address format, which is weird since I through we were too small to target. Since we use only Xerox machines it caused...problems.

The bright folks realized that real scans aren't exe files inside a password protected ZIP...but that's only about 5% of our users.
 
Those fake UPS shipment notification ones. I still don't know how they manage to know I actually bought something online. The emails look very real too, I always have to hover the URL or check the headers to double check that it's not the actual notification. I just copy and paste the tracking numbers and go directly to the courier sites now.
 
Bump for more feedback. One of my quarterly projects is to create social engineering e-mails to test our employees. So I'm looking for new and juicy ideas.
 
Depends on what you mean by best. If you're looking for the best example of what users may fall for, you don't have to go farther than the generic "Your Mailbox is Full" messages. I've seen a large number of users fall for one of those even though the "From:" address was a completely unrelated domain, the message was chock-full of spelling mistakes, and the URL went to an external site.

If you're looking for something that will fool even the most paranoid users, spear-phishing is the way to go.

If you're starting up a phishing awareness campaign, always start with the easy ones to spot then move into the more difficult ones.
 
Title: Am important message from the CEO
Body: We will be restructuring the company, please view this link for full details: [link]
 
We saw emails where I work that were "You have a voicemail" from Google Voice, and the body was surprisingly deceptive.
 
Heck you don't even need a link. Proper code within the email itself will infect the entire network once the email is opened or if it's clicked on and the preview pane is open. It's frighteningly easy to get infected even if you do know what you're doing because how insecure most email clients and web browsers are. I'm sure you've all have simply opened an email, and only after it was opened realized it was a scam. In some cases, it's too late then.
 
I'm a net admin for a credit union, we've received very specific targeted phishing attempts with spoofed sender addresses from American Express, right down to using actual local employee names and very similar fake domain names. We process all suspicious email manually, and there have been a few where I'm convinced they're legitimate until taking a deeper look into the whois records and message headers, pretty nasty stuff.
 
Gmail has been surprisingly good about catching phishing attempts. I usually look in my spam folder once a week and if I see ones phishing for bank info I'll go over it and see where the links lead. As for our corporate email system, I've yet to see one actually get through. We have an incredibly stringent filter.
 
I've seen a LOT of the AmEx ones that aaronearles mentioned lately. Very tricky!!
 
You must log in or register to reply here.
Back
Top