Skip to main content

The phishing email that finally got us

This month we've received a very sophisticated, sleek looking phishing email that is definitely going to get some bites. Luckily, we’ve deconstructed this email to show you the red flags that you need to keep an eye out for. 

This scam was so convincing, they even convinced one of us to click a link. Luckily, by the time they got to the login screen, they realised that they had been duped. The reason this phishing scam was so effective? It’s to do with domains, and subdomains. 

What is a domain?

A domain is essentially the part of the web address that has the name of the site your visiting. So ‘google.com’ - ‘google’ is the domain. The domain is always the word that is adjacent to the last ‘.’. The part that follows is called the domain name extension, which sometimes gives you a clue about the site; ‘.edu’ for example, is going to be educational; ‘.uk’ specifies the country.

What is a subdomain?

In comparison, a subdomain is the part before the domain name, and can point you somewhere a little different. A good example is ‘docs.google.com’. In this case, ‘google’ is still the domain, but the web address is pointing us to a specific app within Google, the Documents. So, ‘docs’ is the subdomain. It provides us with a little more information about the location, whilst still telling us that the application is hosted by Google.

What does all this have to do with phishing?

One of the great little tricks that we can use to decipher whether we’re looking at a real email from a legitimate source, or a phishing email from someone who wants to steal our information, is by looking at the links in the email. By hovering over, rather than clicking on the links, we can see where they’re going to take us.

This is really useful for phishing emails, because if an email pertains to be from Amazon, and they’re asking us to click a link which says ‘Go to your account’, when we hover over the link we’d expect to see amazon.co.uk. But, if when we hover over the link it’s actually sending us somewhere else - like givemeyourbankingdetails.com, that’s a good indicator we’re being duped.

The phishing email that reeled us in

The email that we received pertained to be from SendGrid - an email provider that we do expect to receive correspondence from. Below is a legitimate email from the real SendGrid.

And below, here is the phishing email that one of our team received;

As you can see, it’s a pretty close match! At first glance, everything seems legitimate. For those of us who are very fast readers, this is probably convincing enough to get us to click a link. 

Which is exactly what the recipient did! The only thing that held them up was the login screen they were presented with - something didn’t look quite right. They then realised that this was a phishing email in disguise. But is there any way to figure it out without clicking one of the links?

We hovered over the links in the email - and really, everything checks out! You’d expect to see these kinds of links in an email sent out by a company like SendGrid - they’re pretty lengthy, and look to point us somewhere on the Send Grid website. But let's have a closer look at that domain name.

What’s in a name?

If you look closer at the string of incoherent numbers and letters, you’ll be able to spot ‘email.sendgrid-com.click’ as well as ‘deecon24.de’. The last ‘.’ is just before the domain name extension ‘de’ - meaning the part before the ‘.’ is the domain name. This isn’t ‘sendgrid’ - it’s ‘deecon24’ (which sounds far less reputable). This means that the link isn’t sending us somewhere on SendGrid’s website at all. It is absolutely a phishing email.

I can’t get my head around domain names!

If all this techno-jargon is a bit overwhelming, there are some other familiar red flags for us to spot. The sentences do read a little strangely - the grammar isn’t perfect (there’s a missing capital letter at the start of the first sentence, and a full stop later on where there should be a comma) and the link to their privacy policy seems a little out of place considering our account has apparently been suspended for ‘security reasons’.

The instructions are a little confusing - should we be contacting our system administrator? Surely if it’s been suspended, we can’t access it through the login page? Or do we need to click a link to say it’s been suspended in error? Also, if you take a closer look at the SendGrid logo, you’ll notice that it’s cropped a little oddly - the logo has been cut off at the bottom. All of these are good indicators of a phishing email.

Transcendit’s top tip - slow down!

These little indicators are only really noticeable when you slow down, and look for them. The best way to protect yourself against a phishing email is to make sure you’re reading emails carefully. If in doubt, get another pair of eyes (ideally, call up your IT support team!) before you click any links. 

In this case, it would be easy to check whether our SendGrid account had been suspended without going through the link in the email - if you’re on the fence, just head directly to the website yourself! Slow down, read carefully, and if you get one of these in your inbox, send it straight to Spam.

Tweet us @TranscenditUK


The Transcendit Way

Transcendit understand that when you choose to work with us, whether we're taking care of your IT, app or web development, you're trusting us with part of your business. So whether we're looking after your computers, phone systems or servers we always do things 'the Transcendit way'.

The whole of our team adhere to the same values, beliefs and policies - the principles that were written when Transcendit first formed in 2000. Whether you come to us for a refurbished computer, cloud services or recovery backup you can be confident that you'll always receive the same excellent service.

The Transcendit way outlines how we do business; following the same straightforward principles with every client and customer, regardless of how big or small they may be.

That means we get to know you and your business. We offer you a friendly, professional and efficient service, and we'll always be honest with you.
We understand that not everybody speaks fluent IT, so we try to explain things in a way that is simple and clear. We always spend as much time as is necessary explaining things to you.
If you need to talk to us about something, no matter how insignificant, we are only ever a phone call away – and we’re never too busy to make you a cup of tea and have a sit down with you in person.
We understand how frustrating it can be when things are late. When we schedule an appointment with you, we are there when you’re expecting us. If something prevents us from getting there, we always call you in advance to let you know.
Sometimes things can go wrong, but we never lie to you or try to cover something up. If things go askew we tell you what’s happened and how we plan to prevent it affecting your business.
We want you to continuously benefit from working with us. We regularly discuss your business and make suggestions for improving systems and processes wherever we can – but we never try to push you into a purchase.
When we quote a fixed price, that's always the amount we charge – you won’t find any nasty surprises on a bill from us. If you are paying by time and materials, we inform you if our approximations could change.
We understand the importance of privacy for your business and your customers. We respect the confidentiality of your data, and we will never pass on your information to third parties.
We appreciate it when you take the time to give us feedback. A system called CustomerSure records our client's responses, so you can trust that our reviews are from real people.
Find out what they're saying here.
The help and support we receive from Transcendit is outstanding Wyre Council

Based on 8178 reviews our customers rate us 9.8/10. Reviews and ratings by Customersure. 07-October-2019

Transcendit are proud sponsors of CHUF, the Children's Heart Unit Fund.