Working at an external IT Support company, we very often receive forwarded suspicious emails from our clients (this is one reason to whitelist your clients, so it doesn’t get blocked by your spam filter).

However, even people with very good common sense can still fall prey.

In the following example, you can see that my client came very close to a security breach because she was not careful enough with clicking on a link.

The offending email forwarded to us from the client.

From: censored client name here @ email
Sent: 04 June 2019 07:46
To: James Aykin <[email protected]>
Subject: FW: Client Name here

Hello,

Is the below email genuine?

CLIENT NAME

Company name here

Email: Client Email was herelol

From: mark < [email protected]@hotmail.com >
Sent: 03 June 2019 20:09
To: censored client name here @ email
Subject: Client Name here

[Message clipped] View entire message

At the time, I gave a generic response and a shallow analysis based on first impressions. It was not a high priority task because this client was usually careful.

From: James Aykin <[email protected]>
Sent: 04 June 2019 08:14
To: censored client name here @ email
Subject: RE: Client Name here

Hi Client,

No.

I can tell through several reasons, firstly the title – why would any legitimate email title be simply your name with no indication of the content;

Secondly is that a blank email wouldn’t be clipped, if it was even possible to be clipped by some incredibly outdated email client;

Thirdly is that the link goes to scam website goes here which I can’t exactly say is some reputable site;

Finally is that his name is just “mark” which seems really suspicious to me, as well as being some Hotmail account.

Seems to me like something the spam filtering should’ve picked up!

Hope this helps

Best regards

James

This short reply escalated the problem – a clicked link was significantly more dangerous.

From: censored client name here @ email
Sent: 04 June 2019 08:17
To: James Aykin <[email protected]>
Subject: RE: Client Name here

I have emailed that email address before. I did click on the link but closed it when it asked me to sign in. Is that a problem?

At this point I needed some more information, and our client was worried.

From: James Aykin <[email protected]>
Sent: 04 June 2019 08:21
To: censored client name here @ email
Subject: RE: Client Name here

Okay, that changes things.

Have you ever had to create an account on this site?

Please don’t click on it yet, let me do some more investigation first.

Best regards

James

Fortunately, our client responded very quickly.

From: censored client name here @ email
Sent: 04 June 2019 08:23
To: James Aykin <[email protected]>
Subject: RE: Client Name here

No I don’t think so, it came up with my email address but I didn’t do anymore

During this time, I was checking this page on a fresh Virtual Machine to see if it was safe. The client was panicking, but constant communication helps lessen that anxiety.

From: James Aykin <[email protected]>
Sent: 04 June 2019 08:26
To: censored client name here @ email
Subject: RE: Client Name here

Ok, I understand. If you had put your email password in there I think that would’ve been a security breach, so I’m glad you clicked off it when it asked you to sign in. It’s a very common hacking technique to try and get someone to login with legitimate credentials onto a fake site.

What have you emailed this person about before? It all seems extremely suspicious to me.

Best regards

James

However, at this point I didn’t need to wait for the response as the evidence was clear.

From: James Aykin <[email protected]>
Sent: 04 June 2019 08:37
To: censored client name here @ email
Subject: RE: Client Name here

Hi Client

Just confirmed it was a scam.

I went to the link on a virtual machine with a default windows installation so there was no risk, and I saw the login screen. Tried with no password and it let me in – very clear indicator that it was just phishing for your email password.

It immediately took me to some extremely suspicious cloned BBC news site riddled with ads and junkware and automatic installs. It’s 100% a scam.

I’ve blacklisted this sender and trained the spam filter to try and pick up on these emails in the future.

Thanks for letting me know.

Best regards

James

Thoughts

Overall, the most important thing in resolving these sorts of cases is keeping the client relatively calm while also making it clear that there was an inherent security risk at play.

Put yourself in the client’s shoes just for a second here – someone they spoke to before had sent them an email that they had no reason to suspect and clicked on a link. Then after considering putting in their details, they decided it wasn’t worth it and asked their IT Support for assistance.

Wouldn’t you be a little scared? Clicking on a link can be dangerous, and then your IT Support tells you that it’s a scam website. What’s the first thing you think? Infected computer.

Using technical terms with a client that won’t understand them is often fine, as it reassures them that you know what you’re doing and explaining every step along the way allows them to make better judgements in the future about what links to click and not to click.

Fortunately, the scam website was mostly harmless, filled with Cryptocurrency mining scripts and password phishing attempts. But it was very close, as a link can be to a direct download.

Dealing with panicking clients is a difficult balancing act because you need to prevent them from freaking out but allow them to understand that they made a mistake and should try avoiding a situation like this in the future.

Nowadays people need to be aware to NEVER click on a link unless they’re 100% certain it’s safe.