Guest contributor Bob Covello isn’t happy about automated emails being sent out by a legal firm.
How can we teach security awareness if the legitimate messages ring all the warning bells?
One of my colleagues received the following message from a “law firm” the other day.
This is an actual screenshot of the message:
(The message also contained a telephone number and a confidentiality notice, which I have omitted for brevity.)
Does the email look suspicious to you? It should. The message contains three tell-tale signs of a potentially malicious message:
- First, it arrived unsolicited, from an unknown sender.
- Second, it contained nothing more than a vague subject, and only a name and alleged title of the sender
- Third, it contained an ambiguously named PDF attachment.
Fortunately, I work with very security-aware colleagues who know the signs of a bogus message, and I was alerted to the message.
When I researched the purported sender, I found that the email was sent from a legitimate organization. I called the office to ask about the message and was shocked to find out that it was a legitimate message, sent by their automated mailing system.
How are we to train our staff to recognize and not click on attachments in unsolicited messages, only to be undermined by a careless legal firm?
I am not using the word “careless” lightly either. When I contacted the sender on the phone, I was told: “Our mailing system just does it that way.” They simply did not seem to care at all.
This creates a problem in two ways.
Firstly, that firm may be losing business, since most of the civilized world is probably ignoring their messages, or worse, their messages are never reaching the intended recipients.
Secondly, if they are accustomed to sending such poorly formatted messages, then they probably click on equally suspicious messages that they receive, making them an easy target for cybercrime.
I decided to use the contact form on their web page to alert them of the problem, and I received another automated message notifying me that they will review “my case” and assign a dedicated team of attorneys to it.
*Sigh* I don’t need an attorney, I just need a good headache medication.
One would hope that a firm that sends out suspicious messages would at least employ a competent tech team to configure their systems correctly. I remain hopeful that this is just an anomaly, and not the norm.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.