Overview
Client’s should look out for phishing emails appearing to originate from RoundCube Webmail. The emails claim that your email services or delivery of emails has been suspended or blocked and require you to sign in or click a link in order to fix the suspension or block.
Phishing emails are designed to steal login usernames and passwords for your account and should be deleted.
What To Look Out For
Example 1 – “You have some pending messages”
This example states that you have some undelivered emails due to an ‘authentication error’, and requires you to click on a link to ‘release’ the messages:
- The email is from an unrelated sender, generally trying to impersonate a “post master” or similar kind of email address, to give a feeling of authenticity. Do be aware that this will sometimes appear to have come from one of your own email addresses, however in reality this is not the case, with the sender having “spoofed” the sending email address.
- The title and body of the email generally states that your emails have not been delivered for one reason or another. Keep an eye out for bad spelling or grammar, as these are dead giveaways that the email is not legitimate.
- A link will usually be provided under the guise of “click here to release messages”, etc.
We can see by hovering our mouse over the link that the link instead is pointing somewhere totally different.
In this case, the link points to a Firebase Cloud Storage location, where you would be directed to a .html file that would impersonate or pretend to be a login page.
Example 2 – “Your Account Has Been Compromised”
In this example, the email deviates from the last in a few ways by pretending to be the ‘good guy’ by advising you that your email account has already been compromised, and has had it’s email send & receive functionality disabled.
- In this example, the sender actually appears to have come from your own domain (which we have blurred out due to privacy), however as mentioned previously this is simply the sender “spoofing” or pretending to have sent from your email domain.
- This email also makes use of ‘personalizing’ the email to you by using your name in the email. This is generally done by taking the first name from the email address itself – eg. “john.doe@email”, where they would take the “John” and use that.
Again, this is just a tactic to make you believe the email might be legitimate. - Once again, you are shown a button to “Protect and Secure” your account. Again in this case, the link appears to be directing to a different domain/website altogether.
As you can see from the above image of the link, the linked website is totally foreign from your own website/domain.