Be careful out there: A phishing story

01 May 2023

I am about to go into “mom mode” for this post, because I recently came across (and almost fell for) the most clever phishing attempt I have seen to date.

Some background

I recently had to replace my roof. The details are a much longer, unrelated story. Here are the highlights:

  1. It rained outside.
  2. Then, it rained inside.
  3. I filed a claim with my insurance company.
  4. A roofer replaced my roof.
  5. The end… mostly.

My claim is still open, due to some of the longer, unrelated details. As a result of that, my insurance adjuster called me late last week to give me a status update. During that conversation, he also said that he needed to send out an invoice for some tarping work.

None of this is directly related to the phishing attempt. However, it does serve as context to what happened today.

The phish

This morning, I received an email from Ann1 with the subject line “Find attachment from We Make Roofs LLC”. The email contents said that Ann shared a document with me, via Adobe, and included a link for me to access the file. This was not unusual for them. During the roof replacement process, I received a lot of documents this way – contracts, receipts, etc.

Given my conversation last week with the adjuster, my first thought was that We Make Roofs LLC was trying to bill me for the aforementioned tarping work. Annoyed (especially since I thought my side of the financials was done), I clicked the link to figure this out.2

Red flag #1: The link took me to a page that redirected me to another page. The second page immediately asked for a user name and password. I never created an account with We Make Roofs LLC and our previous shared files never required passwords.

I replied to the email, which went to [email protected]3, to ask what was going on.

Red flag #2: A few minutes later, I got a second email from We Make Roofs LLC. This time it was from Patricia, with the subject line “Urgent_ImportantDocs 05-01-2023”. This email didn’t go to me directly, but to “Undisclosed Recipients”. This email practically screamed “I’m a phish!”

However, that conversation from the insurance company was still in the back of my mind. I called We Make Roofs LLC, using the contact information I already had for them, to figure out what was going on.

The real deal

First of all, Ann and Patricia are real people. Ann is a customer liaison whom I’d spoke with before. Patricia is the head of the billing department.

We Make Roofs LLC is a smaller, local company, and they answered my call right away. The emails were definitely not a legitimate communication attempt. The person I spoke with said that Ann’s email had been compromised, but they did not think Patricia’s had as well. They had questions when I told them about the emails I had received and promised to relay my experience to their IT department.

Lessons learned

Whether the timing of this phish was intentional or not (given my recent communication with insurance), it almost got me. Almost. I’m sure it worked on someone. I am both impressed and really angry.

In conclusion:

  1. Never click on anything.
  2. No really. Never click on anything.
  3. If an email feels suspect at all, especially if it is from a company that you have worked with, just call them.4

Stay safe out there.

  1. Names of both people and companies have been changed. 

  2. Yes, I know. Bad. Bad. Bad. Bad. Bad. Never click on links in an email, but the context, timing, and my annoyed state made me think this was real. My deepest apologies to every security person I know. 

  3. Again, I changed all the names. This is not a real email, but the email I replied to was a legit email for the real company. 

  4. I know, I hate making phone calls too, but sometimes it’s good for you. Trust me.