Newmind spotted a phish. Here’s how we didn’t get caught

Last week, Newmind almost got phished. Like everyone else, the occasional phishing email makes it through to one of our staff inboxes– why was this one special? Mostly because it was just such a good fake.

Here’s how we caught it:

A Good Fake

Last week, Ryan received a suspicious email, which appeared to be a legitimate invoice from Quickbooks. He immediately chatted the team with screenshots to gauge what people thought of it. 

First, we always look for the obvious warning signs:

• Poor spelling
• Bad / out-of-date formatting
• Incorrect logos
• Suspicious sender information

This email passed most of those legitimacy checks–it even appeared to have a legitimate Quickbooks sender address. More alarmingly, the email wasn’t even detected by Google’s Spam filter. Still, nobody was fooled right away–as IT workers, we all have a lot of built-in skepticism, and the first giveaway was that the Reply-To address was for a mail.ru email address.

Heath wondered if a member of our team had activated a Ninjio phishing test, in which they carry out a fake phishing attempt on your team, to see if it sticks.

Ryan dug a little deeper and found that the email came from an Intuit address that seemed legitimate, but from a suspicious IP address, which he also found mentioned in a Quickbooks support post related to scam attacks. 

The next theory was that the attackers created a legitimate Quickbooks Online account in order to scam people, which has become a common practice recently. This allows the attacker to more easily slip through basic email filters because the email is, in essence, legitimate.

Quickbooks Online Hijacking

When you receive an email like this and click “Mark as Spam”, it blocks a legitimate Quickbooks Sending Address, meaning that real businesses can’t get their invoices sent out. 

The attacker wants you to reply, or call their featured phone number to request a refund, and once you engage with them directly, they’ll either attempt to penetrate your device using a malicious URL or attachment, or they may just try to defraud you some cash in a traditional refund scam. 

Why does this scam work so well?

It’s not just the quality of the fake: it’s the fact that services like Intuit send out emails like this all the time, either overcharging or undercharging clients, resulting in clunky corrections. Clive Thompson, columnist for New York Times and Wired magazine, just shared a nearly identical story of a malicious overcharge from Norton Antivirus, and bemoans the position we’re put in as the customer when a service provider does sloppy bookkeeping.

What can you do about it?

This case is a perfect example of why Newmind Group stresses taking a multi-layered approach to security. For a small additional expense, you can protect your team from making simple human mistakes. Our ideal protection from this type of attack consists of:

• Built-in spam filters (like Google or Microsoft 365 Defender)
• 3rd party spam filters (like Datto SaaS Defense)
• DNS Filter
• Security Awareness Training

As always, we recommend brushing up on your own sixth-sense for spotting scams like these, but stronger defense tools for your entire team can save your organization serious downtime, or worse.