Anatomy Lesson of a UPS Phishing Email

There is bound to be a number of phishing emails you will get that will be easy to spot. Fortunately there is still a fair amount of large phishing campaigns that take more of the spray and pray approach than one of researching and targeting a specific organization or person. The ones that can really get you are the simple ones, with just a little text, a photo of a trusted brand and a link and a somewhat realistic looking landing page. In this post I will show you what the red flags (aka warning signs) are for this super tricky phishing email.

In this phishing email anatomy lesson the assumption I am making is that you receive this suspicious looking ups email to your work email account. While you certainly may get emails like this to your personal email address, the focus of this explanation will be on the workplace scenario.

note/disclaimer: Jack Carter [email protected] is a fictitious email address only used for demonstration purposes. Jack Carter is a character on the sy-fy show Eureka. Great show. So good. I don’t actually own the eureka.com domain or anything like that. Just for demonstration.

Red flags:

1. Expecting this email? Did you order something that’s being shipped by UPS? If not, Red Flag.
2. Does the sender match the context of the email? Does this look like it might have come from UPS? Nope it doesn’t, Red Flag.
3. Does the link make sense when you over your mouse over Track parcel? (see screenshot with an orange and yellow boxes below) Definitely not. The URL has nothing to do with UPS or shipping. Red Flag.
   • There’s also this weird .gb.net thing at the end. Then at the very end of the URL there’s this weird [email protected]. Both those things are a Red Flag.

Here is the email header that shows the From and To address. Pay special attention to the from: field.

Here is the email itself. Make note of the red flags mentioned above when looking at the email.

If you were to hover your mouse over the Track parcel link inside this email, you would see whats shown in this image.

And if you were not able to spot that this is a phishing email before clicking on the link, this is the website you would land on.

Now, this in of itself doesn’t look that odd but consider it in context of the email. An email “from ups” is asking you to login with your Outlook, AOL or other email address? Red Flag. This won’t always be the case and this one is honestly quite easy to spot. They won’t all be this way. These landing pages can be VERY convincing.

A good rule of thumb is: if you’re not sure, ASK! Contact your IT or Security department and ask them to help you determine the legitimacy of the email.

This might be a cheesy saying but just like when crossing the road, stop, look and “listen” for the phishing clues.

Remember, the faster you report a phishing email to your IT or Security department, the faster they can respond and block the website or take action to mitigate potential issues.

Stay safe, stay vigilant!