On 25th August, I received the above email purporting to be from ParentPay. ParentPay is an online payment system designed for use by schools – you can book and pay for school dinners, library fines, school trips etc.
I am a user of the application, but I’ve only casually (and observationally) looked at the security of their main web application. I have no complaints, although the SSL configuration is less than optimal.
This email looks like a textbook phishing email. I had to spend some time confirming it was genuine, and was only really convinced after they tweeted about the same competition.
Why does it look like a phishing email?
- The sender’s email address is not on the domain parentpay.com – it is firstname.lastname@example.org. This teaches your users to accept that any email containing the word parentpay is genuine.
- You are tempting users with vouchers in return for logging in. This is a standard technique used by phishers.
- Amazon is not capitalised. Spelling and grammar mistakes are common in phishing emails.
- The login link labelled “Login to ParentPay” takes us to the ParentPay login page. In a phishing email, it would take us to a malicious site that may harvest our details or deliver malware. Conditioning users to login via links sent in email is a bad idea.
- The login link directs us to the education.co.uk domain, which redirects to ParentPay. Teaching users to follow links to third-party sites to login is a monumentally bad idea – a number of attacks can be carried out like this including a plain phishing page, tabnabbing etc.
Please don’t send emails like this – it doesn’t just impact the security of your site. Conditioning users to trust emails like this goes against a lot of user awareness training, regardless of which site they are accessing.