By Founding Principal Mark Ian Anderson
In July, one of our general business inboxes received the email below.
Initial review gave the recipient some pause, but there was enough legitimacy to prompt further investigation. Here’s a breakdown of what I looked at and the conclusion I came to.
First, let’s review some items in this email.
At the top of the email, we see the information about the sender, when the email was sent, who it was sent to, and the subject. There are no immediate red flags here—at first glance.
Our firm utilizes two different email filtering programs. IRONSCALES and Sophos both help to alert us to take caution with this email, but neither flagged it as a known spam or phishing campaign. That does NOT mean the email is safe! If you are unfamiliar (or even familiar) with the person or company, alerts like this should make you pause and take another look.
Finally, we see a standard email signature. No immediate red flags here either. Without further digging, it would be easy to believe that this email is a legitimate request for IT services.
I started by looking up William R. DeMilt on LinkedIn (https://www.linkedin.com/in/william-r-demilt-b75b8a6/), and he is indeed the Global Sourcing & Procurement Manager at AIG.
AIG’s US-based corporate street address is (almost) correct but notice the perpetrators failed to include the state abbreviation “NY” after the city:
From AIG’s corporate website Contact page the correct address is:
28 Liberty Street
46th & 47th Floor
New York, NY 10005
The next item I focused on was the domain for Mr. DeMilt’s email address, firstname.lastname@example.org.
A simple option to help determine the legitimacy of the source of this email involves using Wikipedia. Searching for AIG and scrolling to the bottom of the entry, the External Links confirms that AIG’s official site and domain name is, in fact, “aig.com” rather than the subtly modified one the email originated from “aig-us.com”.
To further confirm this, I used a slightly more advanced tactic.
By querying DSN (https://lookup.icann.org/en/lookup) and looking up the domain “aig-us.com” I discovered that the domain was registered only two months ago!
Update: Since publication of this blog, “aig-us.com” has been taken down and no longer forwards to AIG’s official site, aig.com.
Looking up the primary domain information for “aig.com” we see a marked difference with the nameservers and dates:
“Aig.com” was registered on October 25, 1995 compared to June 13, 2022 for “aig-us.com”, or almost 27 years earlier. Said another way, the domain “aig-us.com” sprang into existence 24 days prior to the suspicious email in question hitting my inbox. It’s not too likely that AIG, a firm founded in 1919 with over 36,000 employees, decided to join the world wide web two months ago!
Finally, by utilizing an online directory such as ZoomInfo, I found that William R. DeMilt’s legitimate phone number isn’t anywhere close to the one listed in “his” signature: (845) 202-1573.
Actual phone numbers (final digits obfuscated for privacy):
(201) 631-45XX [w]
(646) 483-01XX [c]
Now we are armed with a ton of hard evidence that this email did not originate from Mr. DeMilt or AIG. But there is additional evidence in the text of the email. Technical specs are one method for taking down a phish. Reading context clues and keeping a close eye on language is another. Let’s take one more look at the email:
Looking closely at linguistic choices can make you well-armed to catch phishing emails, even if you don’t want to dive deep into the technical details like I did.
In this email, “William” capitalizes Company only to use the word again later, but without capitalization, and he omits the word “an” prior to “IT Infrastructure upgrade.”
Then, a trickier one: “Kindly” appearing in any email or text these days should serve as a flag of caution. While the word has fallen out of common use in the United States, it is still taught as correct for English-learners around the world. A phisher may use it believing they are presenting a polite front, not knowing that in truth, it causes them to stand out.
We can confidently say this is a phish!
Need additional phishing protection for your business? Would you like your team to learn more about the social and technical ways to stay safe online? Contact us today before it’s too late.