Here is another real phishing email. This one purporting to be from PayPal.
Lets dig in...
(Orange) we have typos and grammatical errors
(1) Again we have a weird email address from @paypap-us.com. This is highly unlikely owned by PayPal.
(2) This email is probably BCC'd to a bunch of users. Most official communications will go directly to you
(3) Here is a hook/social engineering tactic. Trying to instill panic with a sense of urgency
(4) In this case there is no greeting or mention of me the customer (No greeting or generic ones are red flags)
(5/6) There are two issues account activity and a bank alert (Sorry, your bank would notify you of fraudulent CC or account usage)
(7) The whole email is an image that is also a clickable link
The link
jetsend.com is a real emailing service with tracking capabilities. The threat actor can determine if you clicked his link. These services will also kick off additional redirects to the attack landing page most likely.
Looks like it redirects to a google doc
Another redirect to the end page. Looks like the attackers account has already been taken down
Lets dig in...
(Orange) we have typos and grammatical errors
(1) Again we have a weird email address from @paypap-us.com. This is highly unlikely owned by PayPal.
(2) This email is probably BCC'd to a bunch of users. Most official communications will go directly to you
(3) Here is a hook/social engineering tactic. Trying to instill panic with a sense of urgency
(4) In this case there is no greeting or mention of me the customer (No greeting or generic ones are red flags)
(5/6) There are two issues account activity and a bank alert (Sorry, your bank would notify you of fraudulent CC or account usage)
(7) The whole email is an image that is also a clickable link
The link
jetsend.com is a real emailing service with tracking capabilities. The threat actor can determine if you clicked his link. These services will also kick off additional redirects to the attack landing page most likely.
Looks like it redirects to a google doc
Another redirect to the end page. Looks like the attackers account has already been taken down