Phishing mail from forged address “billing2023@his.com” was received by some his.com mailboxes today, 11/28/2023.  Most phishing messages like this one are blocked by our spam/virus/phishing filters, but some copies of this particular message got through.

The body of the message looks like this, with the HIS logo.  The message came from an IP number in Indonesia.   The “Validate Billing Information” link connects to a site in Peru.  This fake login site is now disabled, but when it was active, the page was designed to look like an official his.com page, and was designed to trick users into entering not just their email addresses and passwords, but credit card and other personal information as well.

If you received this message and haven’t clicked on the links, just delete the message.

If you were tricked into entering your info on this bogus site, change your email password ASAP by logging on to https://webmail.his.com

If you entered your credit card info, call your bank immediately and let them know what happened.

We’re seeing quite a few email messages that claim to be about an invoice you haven’t paid and have PDF attachments supposedly from Docusign that you’re supposed to look at.  They’ll have subject lines like “Delayed Payment Penalty Notification”.  You probably won’t recognize the supposed sender as somebody you do business with, and if you hover your mouse over the From: address in the email you’ll see that the address is from some random domain.  The From: addresses are hijacked accounts, and this is a phishing attempt.  Most of these gets stopped in our Barracuda spam filters, but there are so many that some are getting through.   If you get any of these, delete them.

More information from Docusign:  https://www.docusign.com/trust/security/incident-reporting 

We’re seeing a flood of “phishing” email – this is spam that is designed to trick you into revealing your login information for email, bank, PayPal, Costco or other important site.  The quantity of this mail is up by several orders of magnitude, and while our spam filters block or quarantine 99+% of these, that last fraction of a percent is still a big number.

How this spreads:  when somebody falls for this and reveals their email login password, their account is then taken over to send as many phishing messages to other people as possible before the provider detects that this is happening and locks the account until the password can be changed.  Since these messages come from normally-innocent addresses, odds of them being recognized as spam are reduced, so any successful hijack can lead to several others.

Here are examples of some phishing messages that have targeted our customers.  These are designed to look scary and create a sense of urgency.  Often the messages contain typos that give them away, but just as often they look pretty real, even  using our logos.  If you hover your mouse over the link you’ll see that it goes somewhere else (often in another country), but if you’re on your phone, this isn’t easy to see.

Other phishing mail that you might see are impersonations of brands or companies you’re likely doing business with, like Costco, where they’ll tell you that Costco will pay you $100 if you fill out a survey.  Their goal is to get your Costco login, and whether or not they then buy things on your credit card from Costco, they’ll use any credit card information you have set up there.  Sometimes they’ll claim that you’ve just been charged $800 for something you don’t recognize.  We’ve seen these come through pretending to be from Geek Squad, PayPal, McAfee, Chase, Microsoft, Amazon, Apple, Norton, Microsoft and many others.

There’s more information on phishing mail here: 6 types of phishing … How to spot phishing … Ace Hardware phishing.

If something looks too good to be true, is trying to create a sense of urgency, or in any other way looks suspicious, don’t click on the links.  Most of these phishing messages are blocked and you won’t see them, but some are put in your quarantine because our spam filters think the message is probably, but not definitely, bogus.  If you see a message in your spam quarantine that looks like one of these, don’t fall for it – it’s in your quarantine because it looked suspicious.

We’re seeing an increased number of “phishing” email messages, where the bad guys are trying to trick you into entering your email account login info, where it’s used to compromise your account.  Here’s an example of a message that appeared today.   The “click here” takes you to a site in Indonesia where you’re prompted to enter email address and password:

This message was quarantined on spam.his.com so it didn’t make it to the intended email box, but some of these get through.  If you get a message asking you to “verify your account” by logging in via a web link, it’s almost certainly bogus, and it is definitely not from us.

We’ve just seen spam that’s supposedly from intuit.com (Quickbooks, etc.) with subjects like “Sales Receipt” or “Purchase Order Receipt” with an attached spreadsheet file.  This is a malware attack designed to trick you into opening the spreadsheet, which will install malware on your computer.  These are not from Intuit – most are from hacked servers in Brazil and Italy.

In nearly all cases, these were blocked or quarantined on spam.his.com, but if you’ve whitelisted intuit.com the spam may have been forwarded to you anyway since you’ve exempted that domain from checking.

If you got one of these, or find one in your spam quarantine, don’t open the attached file, which will have a name like “Sales_Receipt_8602.xls”.