Latest Phishing Attempt, latest reply to a client who asked me "is this legitimate" before doing anything . . .

[britechguy]

This one has practically every red flag that it could have, but I am thrilled that my client texted me with a screenshot asking my opinion before even considering taking action . . .


Red Flags including:
misspelling "sever" for "server"
non-microsoft domain originating email address
no Microsoft logo
"annual password subscriptions" (WTF, that's one I've never seen before and is just so blatantly stupid!)
The directive to get you to click on the "Retain my access" button is not even close to standard English.

My Reply:
. . . it absolutely is NOT legitimate. Microsoft never, ever, ever sends out anything that does not have "@microsoft.com" in the sender's email address. I'd delete it and get on with life. This having been said, even if it looked 100% legitimate, you never log in using a link or button contained in an email message. If the message is legitimate, then logging in to your Microsoft account directly from the Microsoft website will show the same message in your private messages box. If you log in and don't find that same message there, you absolutely know it's a fake. This is why one never, ever, activates links/buttons in any email message where an account login appears to be involved. You always open your web browser and go to that account's site BY HAND and then log in to the account. That always protects you from scams.

 

[Markverhyden]

I've stopped trying to point out all the obvious flags beyond the sending email domain to my customers residential or business. No matter how I frame it they don't seem able do anything without my input. Which in a way is really good I guess. I'll bill them an hour after 10 or so queries. No complaints about that yet.

 

[britechguy]

I've stopped trying to point out all the obvious flags beyond the sending email domain to my customers residential or business.

Same here, for the most part. The only other thing I might mention is the complete absence of logos/branding if a message purports to be from Microsoft, AT&T, or any big business that always has that on paper correspondence. I didn't mention that in this case.

It's funny, but as these things keep getting more and more authentic looking, the fact that something lacks the typical "signs of authenticity" is a visual red flag.

 

[frase]

I got a similar one regards my MS Sub had not been paid, I contacted MS to confirm and yes was a phishing attempt.

 

[GTP]

In a multicultural society, where a significant portion of the population consists of non-native English speakers, the presence of imperfect wording and sentence structure can often be overlooked or even go unnoticed.

This is because such expressions may reflect the natural way people from diverse linguistic and cultural backgrounds communicate. Rather than diminishing the message, these nuances can make the communication feel more genuine and accessible, fostering a sense of connection and authenticity among individuals who may not adhere to the conventional norms of native English speakers.

 

[britechguy]

This is because such expressions may reflect the natural way people from diverse linguistic and cultural backgrounds communicate. Rather than diminishing the message, these nuances can make the communication feel more genuine and accessible,

When coming from a multinational corporation, it's a red flag, period. One can only be grossly naive to believe that business communications will ever be grammatically incorrect and ridden with spelling errors.

Consider the source, one of the foundations of critical thinking, applies.

It's got zero, nada, zilch to do with "linguistic and cultural diversity."

 

[GTP]

When coming from a multinational corporation, it's a red flag, period. One can only be grossly naive to believe that business communications will ever be grammatically incorrect and ridden with spelling errors.

Consider the source, one of the foundations of critical thinking, applies.

It's got zero, nada, zilch to do with "linguistic and cultural diversity."

I agree with your point about the professionalism expected from multinational corporations, but I think the issue with scam emails is that they often prey on linguistic and cultural differences.

People from non-English-speaking backgrounds, or those unfamiliar with the nuances of business communication, might not immediately recognize the errors as a red flag.

It's a good reminder of how scams can exploit these differences to appear more legitimate. Critical thinking is key, but so is being aware of how scammers can use language to deceive.

 

[britechguy]

@GTP,

I can agree with your point about the use of language to deceive and prey on linguistic and cultural differences. But that's a completely separate issue, really, from the need, by anyone, to develop the very basic (and they are) skills necessary to instantly ID the hallmarks of a likely scam.

These skills are really not different regardless of your linguistic or cultural background. Scammers/phishers get people (and always will) because many just do not think before they act. The main mechanism used to spur action is the classic FUD.

It's possible to learn about these hallmarks and that mechanism, easily, regardless of your background.

I am not defending scammers/phishers in any way, shape, or form. But just as we all learned to look both ways before crossing a street and not to place our hands on what might (or might not) be a hot stove, the same basic principles of caution apply, and have to be taught.

But, to a person I've dealt with who's gotten caught up in these sorts of things, to a one they pretty much always say, in some form, "Something seemed really 'off' to me." That, and that alone, should be enough to make you stop, always. If it's legit, instantaneous reaction is virtually never necessary, even if reasonably prompt action is. Trust your gut when it says something's just not *quite* right.

 

[HCHTech]

I also always thank them for asking BEFORE they clicked. Even though it's kind of obnoxious responding to these messages, I'd rather have them do that than get taken.

 

[GTP]

@britechguy

I agree with you that developing the ability to spot scams is crucial and that trusting our instincts plays a big role in avoiding them.
However, I still believe that for some individuals, especially those from non-English-speaking backgrounds, the elderly and children, that language and cultural differences can make identifying these red flags more difficult.

While we should all be vigilant, it’s also important to consider these extra challenges. Ultimately, it’s about a combination of awareness, critical thinking, and education to help everyone recognize and avoid scams.

 

[britechguy]

I also always thank them for asking BEFORE they clicked.

Yep. My text reply to this client included, "Thank you very much for having trusted me and consulted me before acting on this," as well as, "I'd rather not have the hours of work trying to undo damage."

It takes me 2 seconds of time to look at what's sent and maybe 30 seconds to compose a "yay/nay" with necessary warnings and praise. I'd far rather do that than have 50 hours of paid time trying to deal with smoldering wreckage.