Blog / A Tale of Two Emails: One is Legit; the Other, Not So Much
Every now and then something serendipitous comes your way. And I’m not talking about the 2001 Movie Serendipity about two 20-somethings who one critic described as (a) romantic confection with all the weight of a soap bubble. I received 2 Emails within seconds of each other – both professing to want a job with TRINUS – and both with an attached Résumé.
There’s absolutely nothing unusual about receiving job applications by Email; we usually get several every week. Normally, when two arrive almost on top of each other, I suspect SPAM and that the Résumés are loaded with malware. I gave both Emails a little more attention than usual; let me explain why:
We have just finished presenting on Cyber Security to the GFOA (Government Finance Officers Association – Alberta Chapter) annual convention. We’ve been attending this convention of more than 300 municipal government delegates for a dozen or more years. For the last three, we’ve been presenting one-hour info sessions on an Information Technology subject of interest to them. During our last presentation, we dissected a Phishing Email and tried to show how to recognize the signs of a bogus Email:
Our example started with a suspicious Email address from someone at tpg.com.au. TPG is an Australian Telecom company – and while the address URL checks out (www.tpg.com.au), I don’t know anyone who works there and I would have no reason to expect someone contacting me. In fact, I only know one person who lives in Australia.
The second problem is the Subject: it’s about a Shipment Notification and they quote an order number. I was expecting some shipments, but not from Australia.
The next problem was in the body of the Email. They referenced an order number that was different than the one in the Subject line, also noting that the order was shipped from their Airdrie, Alberta facility. It was supposed to be shipped by Caron Transport. Of course, Caron Transport is a legit company, but they don’t have facilities in Airdrie, and neither do TPG.
By now it’s obvious this is bogus, but the final give-away is the linked attachments – one for the order; one for Caron Transport. Both reference different download Google DOC’s.
So, in less than 10 seconds of scanning and research, the Email is a candidate for the Delete button. But I wanted to use it as an example, so I converted it to a PDF document and we highlighted it as a Case Study in How to Detect a Social Engineering Scam.
Back to the case of my Two Job Application Emails:
The first came from a person using a shaw.ca Email address. It wasn’t addressed to me specifically in the salutation – just “Hello.” The Subject line was “XXXX Resume”: (where XXXX was the name of the person applying.) The attached resume was a PDF document. Here is the Email’s body (with the appropriate generic placeholders to protect identities):
My name is XXXX YYYYYY and I am looking for an administrative position that is close to home. Please accept my resume as an application for any administrative position that you may have now or in the near future.
Thank you for reviewing my resume and I hope to hear from you soon.
The second was from a yahoo.com Email account. It also wasn’t addressed to me – just “Hi.” Their Subject line was “Good Morning.” The Résumé was in a Word DOC format. Here is the body of the 2nd Email:
I recently seen your company site and i’m interested in a career.
I have included a copy of my CV.
Pass code is 123
At first glance – they’re almost identical, but one’s bogus and the other is legit. Which one’s the GOLD and which is the DROSS?
Digging a bit further into the content reveals some important differences:
The first identifies themselves with additional contact details (full name, phone and Email address in the signature), which makes verification easier; they’re not hiding anything.
The grammar, spelling and punctuation in the first is correct, but not in the second. This is always a dead give-away – as Phishing scams and bogus Emails from senders not residing in North America usually contain errors: idioms, punctuation, contractions, and capitalization of “proper” English is hard to do, if you don’t speak and write English daily.
The document formats are different. In North America, PDF is considered the universal method of exchanging documents with 3rd parties. Word-formatted documents are less common. In addition, the second Email contains a “pass code”, so the user is implying that the document is encrypted and you must enter the pass code to open it. This is a “no-no”, as this document contains “macros”, which are used to embed malware. For the record, it’s possible to embed malware in PDF and Word formats – neither is entirely safe.
So, my nod goes to the first Email as being legit – and it was. Unfortunately, we don’t need any administration help, so I never contacted this person.
Well, without the Emails in front of you, our readers were a bit handicapped to detect the difference. But my point is this: I knew instinctively within a second or two – even before my brief analysis – which one I would trust. How? I certainly do not possess extraordinary powers of deduction. The answer is practice. Like most of you, I stare at a lot of Emails every day, but because of the industry I’m in, I tend to look beyond the content and scan the metadata as well. The metadata is the data about the data that was used to get the Email to me; the true Email address, who it’s addressed to, the salutation, how it’s signed, and so on.
The CEO of Microsoft was recently quoted as saying: “Every company has at least one person who will click on anything – it’s hard to protect against that.“ Certainly, Technology Countermeasures play an important role in overall protection against dangerous malware, but Education and awareness is the first and best line of defense. On the hundreds of Emails that pass through your inbox every week, it’s worthwhile paying attention to the details and train yourself to look for tiny mistakes and anomalies. Don’t be That Person in your organization who clicks on anything.
If you would like more information on how to protect yourself from Email viruses and malware, please contact me or your TRINUS Account Manager for some stress-free malware protection.