Win a prize! If you log in using the link in this email!!!!

Email from Parentpay

Email from Parentpay

On 25th August, I received the above email purporting to be from ParentPay. ParentPay is an online payment system designed for use by schools – you can book and pay for school dinners, library fines, school trips etc.

I am a user of the application, but I’ve only casually (and observationally) looked at the security of their main web application. I have no complaints, although the SSL configuration is less than optimal.

This email looks like a textbook phishing email. I had to spend some time confirming it was genuine, and was only really convinced after they tweeted about the same competition.

Why does it look like a phishing email?

  1. The sender’s email address is not on the domain – it is This teaches your users to accept that any email containing the word parentpay is genuine.
  2. You are tempting users with vouchers in return for logging in. This is a standard technique used by phishers.
  3. Amazon is not capitalised. Spelling and grammar mistakes are common in phishing emails.
  4. The login link labelled “Login to ParentPay” takes us to the ParentPay login page. In a phishing email, it would take us to a malicious site that may harvest our details or deliver malware. Conditioning users to login via links sent in email is a bad idea.
  5. The login link directs us to the domain, which redirects to ParentPay. Teaching users to follow links to third-party sites to login is a monumentally bad idea – a number of attacks can be carried out like this including a plain phishing page, tabnabbing etc.

Please don’t send emails like this – it doesn’t just impact the security of your site. Conditioning users to trust emails like this goes against a lot of user awareness training, regardless of which site they are accessing.

2 thoughts on “Win a prize! If you log in using the link in this email!!!!

  1. Permalink  ⋅ Reply

    Adam Piggott

    August 28, 2016 at 5:37pm

    PayPal and eBay are just as bad. They often use domains, empty or unintelligible text/plain emails, or those with HTML tags in them, repeatedly sending emails with the same subject such as “View recent transactions now” or “Help us protect your account” which seem pushy; another common phishing tactic. You’d hope such organisations would be sensitive to such behaviour.

  2. Permalink  ⋅ Reply

    Tim McCormack

    August 31, 2016 at 3:14am

    Not to mention that a phisher could now piggyback off of this campaign. Just because the campaign is real doesn’t mean the specific email you receive is legit… 🙂

Leave a Reply

Your email will not be published. Name and Email fields are required.

This site uses Akismet to reduce spam. Learn how your comment data is processed.