Threat Actor: Cybercriminals | cybercriminals
Victim: Individuals and Organizations | individuals and organizations
Price: Potential loss of $50,000+
Exfiltrated Data Type: Personal and financial information
Key Points :
- Phishing emails are common attack methods used by cybercriminals to deceive recipients.
- Attackers often impersonate trusted organizations to manipulate victims into sharing sensitive information.
- Recent phishing attempts included fake password reset requests from legitimate companies like GCash, SMART, GLOBE, and PLDT.
- Emails may appear authentic, but they often fail domain authentication checks, indicating potential spoofing.
- Users often overlook security warnings, especially in urgent situations, making them vulnerable to attacks.
- Modern security protocols like DMARC and SPF can help prevent phishing, but human error remains a significant risk factor.
- Education on recognizing phishing attempts is crucial for protecting personal and financial information.
Author: Viperae
Phishing emails are one of the most common attack methods in the world of cybercrime. By disguising themselves as official communications from trusted organizations, attackers can manipulate recipients into sharing sensitive information or clicking on malicious links.
Recently, I received a phishing email (a poorly crafted one) that I will inherit some money from a dubious foundation but I wanted to check some phishing emails from other people how it looks like then I remember something I’ve read on Twitter about someone sent more than $50,000 to an email from his boss but later revealed as a fake email.
In one of my experiments after reading how it happened, I created a phishing email that mimicked a password reset request from various legitimate organizations, including GCash, SMART, GLOBE, and PLDT, using email addresses that appeared to be authentic.
Here’s how it almost worked and what I learned.
The Setup
The phishing email was designed to look as authentic as possible. For instance, one email appeared to come from support@gcash.com, while others looked like they were from noreply@smart.com, info@globe.com, or support@pldt.com. The body of the emails informed the recipient that a password reset request had been made for their account, and if they hadn’t initiated it, they should click on the “Reset Password” button.
Additionally, each email included a backup text link—such as http://fakephishingsite.com—in case the button didn’t work. This structure mimics legitimate password reset emails, making an unsuspecting recipient more inclined to trust it.
Despite their convincing appearance, these emails didn’t pass all checks but for someone not aware, it would mean disaster. I used the ProtonMail of DWK to send the messages, and the system immediately flagged the emails with the following notice: “This email has failed its domain’s authentication requirements. It may be spoofed or improperly forwarded.” This is a critical warning based on DMARC (Domain-based Message Authentication, Reporting & Conformance) and SPF (Sender Policy Framework) checks.
However, recipients often overlook these warnings if it shows though, especially in moments of urgency. Even with the emails flagged as potentially dangerous, the eye is drawn to the familiar branding, the clear call-to-action, and the urgency of the message. This is where the true danger lies: these warnings are often missed by users, particularly those who are not technically inclined.
ProtonMail is one of the most secure email services, which is why I used it to highlight the problem. ProtonMail emphasizes privacy and security, enabling it to flag these emails as suspicious. However, not all email providers or should I say, most email systems of these companies and government agencies have such robust security measures, and even when they do, users often ignore the technical warnings.
From what I’ve learned and heard from a trusted government official, such measures are not implemented or worst they have no idea what that is all about. I tried this experiment to some of my friends’ emails who worked in the government. (Note: I asked them their consent first to show them how dangerous the said method is.)
For instance, on many mobile devices or apps, these warnings may be collapsed or hidden, and recipients might interact with the email before realizing something is wrong.
While domain authentication checks caught these emails as potentially spoofed, many people wouldn’t notice the warnings—especially if they are rushed or distracted. Phishing emails exploit this exact behavior, prompting users to act quickly and without sufficient thought.
What This Experiment Taught Me
This experiment aimed to understand the effectiveness of phishing attacks and defenses against them. Creating phishing emails that look nearly perfect isn’t difficult, but modern security protocols like DMARC, SPF, and DKIM (Domain Keys Identified Mail) can often thwart these attempts. Nevertheless, the human factor—whether recipients notice the warning or comprehend its meaning—is the real weak link.
It’s crucial for users to be cautious, especially regarding emails involving password resets or personal financial information. Even if an email looks legitimate, small signs like an unfamiliar sender or a domain authentication failure should immediately raise suspicions.