Week 33: How phishers try to bypass spam filters

23.08.2022 - The number of reports received by the NCSC rose sharply last week. As has often been the case recently, this increase was driven by threatening emails sent in the name of the police. Further reports were received about phishing attacks in which the attackers tried to trick the spam filters by inserting irrelevant text content in their emails.

Phishers try to trick spam filters

For some time now, phishing emails have been circulating claiming that the recipients have paid their latest bill twice and are therefore entitled to a refund. In these cases, the attached link, which recipients are supposed to click on to obtain the refund, leads to a fake website where they are asked to enter their login name and password. Among other information, credit card details are also requested.

Last week, the NCSC again received numerous reports of emails with these types of refund promises. However, this time there was a peculiarity that was probably overlooked by most recipients: when the email was opened, a look at the scroll bar on the right side indicated that the email contained further content.

The scroll bar on the right side indicated that there must be more text lower down.
The scroll bar on the right side indicated that there must be more text lower down.

Scrolling down, after several blank lines, other text from emails appeared that was unrelated to the actual phishing attempt, including a registration for a child day-care centre, a COVID-19 test notification and correspondence with an international telephone provider. What was behind this? Did the attackers make a mistake in this case and accidentally attach other emails?

Text from a legitimate email which was attached to the phishing email below.
Text from a legitimate email which was attached to the phishing email below.

The NCSC assumes that the attackers are using this method to try to influence the spam filters to their advantage. As the emails contain other legitimate, run-of-the-mill content, it is more likely that the fraudulent content will carry less weight in the spam evaluation. Whether the text is separated from the rest of the text in the email is unlikely to be a factor, at least for some spam filters.

The legitimate content used was stolen from an email account in advance by the attackers. This shows that fraudsters also try to use data that at first glance appears to be worthless to their advantage.

The NCSC has already observed this approach in other cases. For example, additional innocuous text has been added to spam emails in the background colour, meaning the recipients cannot read this text, but spam filters still recognise it and include it in their evaluation.

  • Never enter personal data such as passwords or credit card details on a website that you have clicked on via a link in an email or text message. Bear in mind that email sender IDs can easily be spoofed.

  • Be sceptical if you receive emails that require action on your part and that carry a threat of consequences (loss of money, criminal complaint or court proceedings, blocking of account or card, missed chance, misfortune, etc.) if you do not do what is required.

Last modification 23.08.2022

Top of page