On 25th August, I received the above email purporting to be from ParentPay. ParentPay is an online payment system designed for use by schools – you can book and pay for school dinners, library fines, school trips etc.
I am a user of the application, but I’ve only casually (and observationally) looked at the security of their main web application. I have no complaints, although the SSL configuration is less than optimal.
This email looks like a textbook phishing email. I had to spend some time confirming it was genuine, and was only really convinced after they tweeted about the same competition.
Why does it look like a phishing email?
- The sender’s email address is not on the domain parentpay.com – it is parentpay@emarketing.education.co.uk. This teaches your users to accept that any email containing the word parentpay is genuine.
- You are tempting users with vouchers in return for logging in. This is a standard technique used by phishers.
- Amazon is not capitalised. Spelling and grammar mistakes are common in phishing emails.
- The login link labelled “Login to ParentPay” takes us to the ParentPay login page. In a phishing email, it would take us to a malicious site that may harvest our details or deliver malware. Conditioning users to login via links sent in email is a bad idea.
- The login link directs us to the education.co.uk domain, which redirects to ParentPay. Teaching users to follow links to third-party sites to login is a monumentally bad idea – a number of attacks can be carried out like this including a plain phishing page, tabnabbing etc.
Please don’t send emails like this – it doesn’t just impact the security of your site. Conditioning users to trust emails like this goes against a lot of user awareness training, regardless of which site they are accessing.
Adam Piggott
August 28, 2016 at 5:37pmPayPal and eBay are just as bad. They often use xyz-paypal.com-like domains, empty or unintelligible text/plain emails, or those with HTML tags in them, repeatedly sending emails with the same subject such as “View recent transactions now” or “Help us protect your account” which seem pushy; another common phishing tactic. You’d hope such organisations would be sensitive to such behaviour.
Tim McCormack
August 31, 2016 at 3:14amNot to mention that a phisher could now piggyback off of this campaign. Just because the campaign is real doesn’t mean the specific email you receive is legit… 🙂