Have you been curious as to what the attachment said in the How to Spot a Phishing Email article? Well, you’re in luck! The author of the How to Spot a Phishing Email article had connections with people who could safely investigate the attachment and provide screenshots of its content. Thus, we can take a look at what it really said.

NOTE: NEVER OPEN AN ATTACHMENT FROM AN EMAIL THAT YOU ARE UNSURE OF. IT COULD INSTALL MALWARE ONTO YOUR COMPUTER!

This is what the attachment said. Let’s break it down.

An Appeal to Emotion

The first notable thing (and red flag) is that the attachment immediately claims that this position is being offered by The International Medical Corps. This is a real organization who does provide the humanitarian relief services mentioned in the first paragraph. You can visit their website here. In the second paragraph, there is another mention of helping the vulnerable and disadvantaged, and the supposed author of this document claims to be currently helping endangered people in Ukraine.

This all sounds quite nice and respectable, which is exactly the reason that this hacker included it. This job position and email is not from the International Medical Corps at all. It serves to tug at our heartstrings; to make us think that they are being genuine since they are helping the less fortunate. In reality, however, they are taking advantage of our emotions to try and make a profit. They want us to think that we are helping to do good in the world by falling for their schemes or give us a sense of guilt if we do not accept.

The Position Being “Offered”

            Of course, the position of Temporary Personal Assistant does not sound fake outright. However, for the purposes of this “job offer”, the title of this position is very vague. A personal assistant position could cover a variety of duties and tasks, which is exactly why the hacker chose this job title. These types of emails are sent out to as many people as possible. By making the job one that nearly anyone could perform, more people are likely to fall for the scheme.

            This “job position” is also very flexible, again making it one that even more people could do. At first, the attachment claims that the job has a minimum daily requirement of 1 hour per day, but then immediately after states that this requirement need only be done 2 to 3 times per week. This does not immediately make the most sense. If this is a daily 1 hour requirement, then it should be done each day of the week, not just 2 to 3 times.

            Later on, under the more “formal” listing of the job details, it states that the position is 8-10 hours per week. If we refer back to earlier, the attachment stated that the position needed 1 hour per day, 2 to 3 times per week. This would only be 2 to 3 hours per week. Yet again, the job details are contradictory and confusing. This may have been done on purpose to prompt an unknowing user to email back for clarification, or it could have been a simple case of carelessness on the hacker’s part.

            Again, in the job requirements, the position is said to be flexible. However, it also states that it won’t “disturb your other job or your current studies”. Based on the content of the email and the attachment, it seems that the hacker is targeting students with these phishing attempts, so it is not unreasonable to assume that they are emailing a student. However, they do assume that the student already has another job, which is strange. Not every student has a job that they work during the school year. Again, this may have been done to prompt a response from an unknowing user or could have been simple carelessness.

            Next, we notice that this “job” is one that can be done at one’s home or dorm room. It very explicitly states that one does not need to travel nor own a vehicle for the position. Yet, as we see later on in the job description, some of the duties include “inspecting items paid for at the Post office” and the “Purchase and deliveries of Gift Items, Groceries, Stamps and Stationary”. Of course, some people do live within walking distance of their local post office or grocery store. But many do not. How is someone supposed to complete these duties if they do not have a vehicle, but a vehicle is not a requirement? If travel is not needed, then how is someone supposed to purchase and deliver groceries or mail? Again, the job contradicts itself.

Who is our “Boss”?

The third paragraph is the first mention in the attachment of the “boss” for this position. As per usual, details are vague, and it also takes advantage of the current conflict between Russia and Ukraine to trick unsuspecting viewers. Not only that, but it provides a sense of hope in the form of promotion to a long-term employment… as soon as the “boss” returns, which is not disclosed. At no point does this person give their name, which is arguably one of the most important things to know when going into a position.

Also, it is possible that the hacker may actually “send” work to someone who signs up for this “job position” only to later claim they are not impressed and immediately stop responding to all emails.

            Personally, the duties of this “position” seem very general in nature. While it does give some more concrete examples, such as making payments or delivering groceries, none of these truly stand out. Not only that, but these duties are mostly just general errands and household chores. Again, this serves to draw more people in to accepting this “position”, since it would not require too much extra effort for a college student to run errands such as these.

Job Responsibilities

            This responsibility is arguably one of the most notable: “Inspecting items paid for at the Post office near to you”. In the United States, the position of Postal Inspector serves to, as the name implies, inspect items that are send through the United States Postal Service. In most cases, applying as a Postal Inspector requires a four-year degree, among other requirements. So what exactly is this responsibility, then? It could be simply picking up things that were mailed in and seeing what they are, but why not just say “pick up items” (like stated previously in the attachment)? Regardless, this responsibility is strangely worded and confusing.

Job “Benefits”

            Many jobs come with benefits such as insurance or retirement plans, and so does this “position”. Offered to those who accept is AD&D Insurance. If one does not know what this insurance type is, they may just assume it is general healthcare or something similar. This is not the case. AD&D Insurance stands for Accidental Death & Dismemberment Insurance. While I will admit I’m not the most savvy when it comes to insurance plans, in what world would someone need Accidental Death & Dismemberment Insurance for picking up groceries or delivering payments? Whether this is a veiled threat to the reader, a lack of insurance knowledge on the part of the hacker, or just a lack of care, it is still very alarming and a huge red flag.

            One of the other benefits mentioned is, as usual, strangely worded. What, exactly, stands a chance of benefiting? Obviously, they mean the person taking the position, but again this uncertain language may imply that the hacker could lead an individual on for a few months before cutting contact. We also have the two big phrases of “philanthropic education” and “students supports”, again trying to make the position sound more important and realistic.

How do We Apply?

            Now we get down to details. What exactly do they want from someone who is interested in applying? To start, they ask for a full name, address, email, alternate email, age, mobile phone number, résumé, and a short statement on why the individual should get the job. These are all typical things to ask for, and nothing stands out too much. It is strange that they ask for an alternate email; sure, people often have many email accounts, but it is strange to ask for more than one from someone (unless it is for security purposes). Based on this, it seems that the hacker is, at this stage, simply trying to gain as much information from unsuspecting users as possible (instead of trying to get access to one’s account). This could be so that they can impersonate this user later on, sell their information, or simply hold it for ransom and demand payment. Regardless, you should never send this much personal information to someone if you are unsure of who they are or did not expect to receive such a request.

            Now, the above-mentioned information is to be sent to their “official email”. The email address has been redacted, but we can see that it ends in @aol.com. Anyone can make an AOL email account. Not only that, but if this truly were an official email from someone who worked with the International Medical Corps, they would likely have an email that ended in @internationalmedicalcorps.com or something similar, not @aol.com. Thus, we can tell that this sender likely doesn’t work for the International Medical Corps as they claim. Also, the address provided does not contain a name of any sort and has strange formatting to it, which also stands as a red flag that this email is not affiliated with the International Medical Corps.

This is, Apparently, Urgent

            This statement at the end of the attachment serves to implicitly invoke a sense of urgency. They need your information (to allegedly correspond), and they need it to be correct. This is also a red flag, although a bit more implicit.

Grammar & Spelling

            Finally, we have the grammatical errors, buzzwords, spelling mistakes, and strange formatting. This attachment is filled with each of the four, from bullet-pointed lists not formatted correctly, to words being capitalized that are not proper nouns, to misuse (or lack of use) of punctuation. This is one of the biggest and most easily noticeable red flags for any phishing attempt. As mentioned previously, if this were any sort of official business document, it should not contain any sort of spelling or grammatical errors and also be formatted correctly.

It is always better to be safe than sorry when it comes to a suspicious email, so please do not open any attachments from suspicious emails. If you receive an email that raises any red flags, it may be a phishing email.

Phishing Email Checklist

This checklist can help you determine whether or not a suspicious email is a phishing email. If an email meets multiple of the below qualities, then it may be a phishing email. It is always best to err on the side of caution.

• Did you expect to receive the email?
  • If you did not, then it may be a phishing email.
  • Of course, sometimes unexpected emails are received.
• Is the email from outside your organization’s network?
  • If it is outside your organization’s network, then it may be a phishing email.
• Do you recognize the sender?
  • If you do not, then it may be a phishing email.
  • If you do and have another way to contact them, try reaching out to confirm that they sent it.
• Does the sender’s name sound fake or strange?
  • If it does, it may be a phishing email.
• Does the email address look like a real email?
  • If it does not, it may be a phishing email.
  • Keep in mind that some hackers can disguise what their email address looks like to make it appear legitimate.
• Was it sent at a strange time?
  • If it was, it may be a phishing email.
  • Of course, sometimes people may be working at different times of the day than you do.
• Does the subject of the email seem strange or invoke a sense of urgency?
  • If so, it may be a phishing email.
• Does the content of the email make sense if it is sent by the sender?
  • If it does not, it may be a phishing email.
  • For example, if the email alleges to be about legal action but comes from a coffee shop’s email, it doesn’t make sense.
• Does the email contain spelling or grammar mistakes?
  • If so, then it may be a phishing email.
• Does the email sound strange or contain a lot of jargon or buzzwords without clear meaning behind it?
  • If so, then it may be a phishing email.
• Does the email urge you to take action on something urgent or important?
  • If so, then it may be a phishing email.
  • This could be clicking on a link, sending an email, or even logging in on a website.
• Does the email contain a file or attachment that is strange or suspicious?
  • If so, then it may be a phishing email.
  • This could be an attachment that is named strangely or even an attachment that is unexpected (for example, you wouldn’t expect someone to attach their diary to an email about marketing).