Beware of the “Your Mailbox Is Almost Full” phishing campaign

A recent flood of phishing emails have been appearing lately in customer mailboxes that appear to advise them that their mailbox is almost full or that they need to verify their account to avoid email service disruption.

Example of phishing email

These messages may also include logos and verbiage for Office 365, Gmail, Yahoo, or other mail service providers.

It’s not just spam – it’s a phishing attack.

These are all trying to get you to sign in with your email credentials.  In almost all of these links, you will either get signed in to a bogus login page or a “password reset” page.  Ultimately, you won’t see what you’re expecting.  By the time you sign in though, the attackers now have your email credentials.  This is an example of ‘phishing’ and providing this information will let the bad guys gain access to your mailbox.  They will login to your mailbox to get a hold of your contacts and send the same type of emails, but now under the disguise of your email address.   You may also have other username and password information saved in your mailbox for other services you use… anyway, you get the point!

How to spot a phishing email

There are a number of characteristics that should alert you to the danger in these emails, but us busy workers don’t always have the time to read things properly – my customers initial reaction are usually “I better do this now because I really need my email”. In the first example above…

1. The message came from an outside email address that is not part of the business. While this isn’t always a clear indication of phishing, receiving a message from an email address that you don’t recognize should raise a flag.

2. If this email arrives in your Spam folder, that means it has already gone through a series of automated checks and filters.  Spam messages are “scored”, meaning the more suspicious it appears the higher the score it receives.  Once it hits a certain score, it’s most likely spam.

3. The language is atrocious.

Your are out of storage space and your account will be deacitvated if you do not increase disk space.

4. Floating your mouse cursor over the link shows the target url as https://servica.ga/sever/index.php?email=[email address]. .ga country code top-level domain for the sovereign state, Gabon, on the west coast of central Africa. Are you doing business with someone in Gabon??

Recovery Steps

If you do happen to click on such a link and go all the way through with entering your password, you should change any login credentials that you submitted to the phishing site.  As always, use a different password for each website account and use a reliable password manager to keep track of them all!