1

I'm having trouble figuring out to best identify or deal with phishing spoofs when the email address in the FROM field looks legit. Like From: NORTONquickbooks@notification.intuit.com that I can tell from reading the email that it's a spoof. If I get into the message source, it'll have Reply-To be something that shows obvious phishing like nornor385@hotmail.com (I don't mind exposing a phisher).

Even though I've been very good at identifying email scams, one of these slipped by me the first time and I ended up clicking a link to investigate if someone had purchased something using my email, and only realized after getting halfway through login that it was fake (I hadn't finished typing in the password, and I changed it quickly after that anyway after closing the page).

So, when I'm telling friends and family how to avoid spoofs, I can't rely anymore on "the email will not look legit", because this one looks as legit as I can imagine Intuit/Quickbooks would look.

I've already reported these emails to Intuit/Quickbooks, with no response, and posting to their public customer support forum only got the email addresses obscured in the posts, and the response team's boilerplate replies, showing they're just blissfully unaware that I'm telling them that their own advice to see if the email address looks legit doesn't work in these cases. They either don't understand or don't care. Or maybe they're a part of these spoofs? I can't tell.

Anyway, what are we to do about this? I keep reporting them as phishing, spoof, fake, etc, and they keep showing up. I suppose I can filter them out, but since they're using a legit-looking FROM email, any I'd get legitimately would also be filtered out... not good. What's the solution to these?

schroeder
  • 123,438
  • 55
  • 284
  • 319
SteveExdia
  • 11
  • 1
  • "does not look legit" is very old and ineffective advice. What do you *want* to do? What outcome are you expecting? – schroeder Jun 05 '22 at 17:24
  • SPF and DKIM were invented specifically to combat these exact type of spoofed messages. Intuit has SPF and DKIM records setup in their DNS. Does your spam filter check SPF and DKIM on incoming emails? If so, please post the full headers of the spoofed message that you received. Related: https://security.stackexchange.com/questions/257417/how-did-this-paypal-spoof-email-pass-spf-dkim-and-dmarc – mti2935 Jun 05 '22 at 20:30
  • As you can see, you have received 2 very, very different answers because you have not properly defined your goal. Please refine your question. – schroeder Jun 06 '22 at 07:22

1 Answers1

1

What's the solution to these?

The best practice hasn't changed:

  1. Don't use links in the email/SMS/whatever

  2. Visit the official site yourself, using either:

    • your own saved bookmarks (best)
    • launching the website from inside the genuine software (most applications have a link in the About dialog box or as a separate entry on the Help menu)
    • typing in the address manually (but you could make an unfortunate typo)
    • searching for the real site using a trustworthy search engine (trustworthy at least means one that doesn't sell placement of search results)
Ben Voigt
  • 760
  • 1
  • 10
  • 17