It is interesting how paths sometimes overlap and/or converge.
In this instance, we ended up with a reported smish (an SMS-based phish). While SMS Phishing is something that is covered within Cofense’s Security Awareness training modules, it is not something that we see reported that often.
What makes this specific situation interesting is that the SMS phish was reported by the person whose email address was originally spoofed as the original sender, because the person who received it replied!
I feel like this requires a flowchart:
For those who do not already know, phones can receive text (SMS) and multimedia messages (MMS) via email through most carriers, and conversely depending on the carrier you can send an email to someone as a SMS or MMS. A reply to such a message most often results in an email response to the sender. Such is the case with this email, except the sender it replied to was not who actually sent the text via email. Here is the resulting email we received after the customer reported it to us.
To be fair, this wasn’t a completely generic and poorly planned smish – the ‘hzbgao’ page it points to redirects to the page which has an invalid certificate and appears to otherwise be down, however both the smish and the redirected domain are impersonating the same company, so it looks like at least a small amount of effort was put in to it. Based on the smish and the link, we can strongly assume that the resulting webpage would have been an attempt to steal the victim’s login credentials.
My hat goes off to the anonymous recipient of the phish though, with their “Who this” response. All incoming emails should be regarded in much the same way as incoming phone calls and text messages from random people and numbers.