Phishing email claiming to be from billing@his.com “Credit Card Status on HIS account”

This morning some  of our customers with @his.com or @hers.com email addresses received a phishing email claiming to be from billing@his.com, with a subject line of “Credit Card Status on HIS account”
The text may vary but they look like this:

This message contains a link to a non-HIS web site “asete.info”, where the bad guys hope to harvest your username and password.
This web site should be blocked be any anti-malware app – provided you have one installed.

If you receive email that looks suspicious, don’t click any links in the email.  In a case like this one – we did not send this message.

These phishing emails used to be fairly easy to spot but this one is very cleverly crafted to looks like one of ours.

 

Phishing mail claiming to be from Amazon

We’ve seen phishing mail claiming to be from Amazon, saying that there’s a problem renewing your Amazon Prime membership:

This links to a site in India, where the bad guys hope to harvest your Amazon username and password.

If you receive email that looks suspicious, don’t click any links in the email.  In a case like this one, log on to your Amazon account separately (not by clicking the link!) and investigate.

These phishing emails used to be fairly easy to spot because they’d get the graphics wrong or contain mistakes in grammar or spelling, but now the bad guys are using AI to generate the content, and in many cases it looks very real.    If you’re using a Mac or PC, hover your mouse cursor over the From: address or the login link to see where they point.  This isn’t as easy to do on a phone or tablet.

Phishing mail claiming “multiple billing error”

A his.com customer email account was hijacked and used to send phishing mail to other his.com addresses that claimed to be from error-billing@his.com, asking recipients to log on to “retract the multiple charges”.  Following this link would take you to a real-looking copy of a Zimbra email login, where logging in would reveal your password to the bad guys, who would then use your account to send more phishing mail.

The customer whose account was used to send this mail fell for a different phishing email and revealed their password.

This particular email came from an IP number in the UK, but the fake login page it links to was in Turkey.

If you received one of these, delete it.

Phishing mail to his.com addresses from “billing2023@his.com”

Phishing mail from forged address “billing2023@his.com” was received by some his.com mailboxes today, 11/28/2023.  Most phishing messages like this one are blocked by our spam/virus/phishing filters, but some copies of this particular message got through.

The body of the message looks like this, with the HIS logo.  The message came from an IP number in Indonesia.   The “Validate Billing Information” link connects to a site in Peru.  This fake login site is now disabled, but when it was active, the page was designed to look like an official his.com page, and was designed to trick users into entering not just their email addresses and passwords, but credit card and other personal information as well.

If you received this message and haven’t clicked on the links, just delete the message.

If you were tricked into entering your info on this bogus site, change your email password ASAP by logging on to https://webmail.his.com

If you entered your credit card info, call your bank immediately and let them know what happened.

Phishing mail with “Docusign” attachments

We’re seeing quite a few email messages that claim to be about an invoice you haven’t paid and have PDF attachments supposedly from Docusign that you’re supposed to look at.  They’ll have subject lines like “Delayed Payment Penalty Notification”.  You probably won’t recognize the supposed sender as somebody you do business with, and if you hover your mouse over the From: address in the email you’ll see that the address is from some random domain.  The From: addresses are hijacked accounts, and this is a phishing attempt.  Most of these gets stopped in our Barracuda spam filters, but there are so many that some are getting through.   If you get any of these, delete them.

More information from Docusign:  https://www.docusign.com/trust/security/incident-reporting 

Spam filter upgrade

We switched spam.his.com to to a new Barracuda server this morning 8/23 and this is why you may have received a message about “User Quarantine Account Information” this morning.

You can use this information to log in, and you should also still be able to login to the SPAM quarantine at https://spam.his.com as before with your email address and email password.

You may also receive 2 quarantine messages tomorrow 8/24 – this is expected.

The old SPAM Quarantine will still be available at https://cuda201.his.com for a few weeks should you need it to retrieve some messages.
Login with your email address and email password.

If you have any questions, contact our support: https://support.his.com

How to recognize “phishing” email

We’re seeing a flood of “phishing” email – this is spam that is designed to trick you into revealing your login information for email, bank, PayPal, Costco or other important site.  The quantity of this mail is up by several orders of magnitude, and while our spam filters block or quarantine 99+% of these, that last fraction of a percent is still a big number.

How this spreads:  when somebody falls for this and reveals their email login password, their account is then taken over to send as many phishing messages to other people as possible before the provider detects that this is happening and locks the account until the password can be changed.  Since these messages come from normally-innocent addresses, odds of them being recognized as spam are reduced, so any successful hijack can lead to several others.

Here are examples of some phishing messages that have targeted our customers.  These are designed to look scary and create a sense of urgency.  Often the messages contain typos that give them away, but just as often they look pretty real, even  using our logos.  If you hover your mouse over the link you’ll see that it goes somewhere else (often in another country), but if you’re on your phone, this isn’t easy to see.

Other phishing mail that you might see are impersonations of brands or companies you’re likely doing business with, like Costco, where they’ll tell you that Costco will pay you $100 if you fill out a survey.  Their goal is to get your Costco login, and whether or not they then buy things on your credit card from Costco, they’ll use any credit card information you have set up there.  Sometimes they’ll claim that you’ve just been charged $800 for something you don’t recognize.  We’ve seen these come through pretending to be from Geek Squad, PayPal, McAfee, Chase, Microsoft, Amazon, Apple, Norton, Microsoft and many others.

There’s more information on phishing mail here: 6 types of phishing … How to spot phishing … Ace Hardware phishing.

If something looks too good to be true, is trying to create a sense of urgency, or in any other way looks suspicious, don’t click on the links.  Most of these phishing messages are blocked and you won’t see them, but some are put in your quarantine because our spam filters think the message is probably, but not definitely, bogus.  If you see a message in your spam quarantine that looks like one of these, don’t fall for it – it’s in your quarantine because it looked suspicious.

mail.his.com outage 9/18/21

Mail for his.com and a  number of other domains is currently down and the problem has been identified.  Incoming mail is queuing on backup servers and will be delivered when the problem is resolved.  We’ll post updates here.

Update 12:30 pm 9/18/21:  this problem has been resolved.  No mail has been lost – incoming mail during the outage is queued on a backup server and will be delivered over the next 60 minutes.

Update 2:30 PM 9/18/21: queued mail for accounts affected by this outage has been delivered and operation has returned to normal.

 

Phishing Email

We’re seeing an increased number of “phishing” email messages, where the bad guys are trying to trick you into entering your email account login info, where it’s used to compromise your account.  Here’s an example of a message that appeared today.   The “click here” takes you to a site in Indonesia where you’re prompted to enter email address and password:

This message was quarantined on spam.his.com so it didn’t make it to the intended email box, but some of these get through.  If you get a message asking you to “verify your account” by logging in via a web link, it’s almost certainly bogus, and it is definitely not from us.