The email claims the account details on file for the client are invalid and must be updated or the account will be placed on hold. The grammar of the message is generally poor, which is common in phishing emails, and also starts with a generic ‘dear customer’ salutation. Both of these are common signs of phishing which potential victims should look out for.
Included in the email is a button labelled ‘Review your details’ and the threat actors behind this campaign have used clever coding to hide the destination URL of the button from view. As one of the common phishing indictors people are advised to look for is to hover over the button to check the URL the button points to, it is worth noting that this is not fool proof and the message should be evaluated as a whole before a decision on the safety of the message is made.
This is not the first time Stripe have been impersonated in phishing, so users should always double check the legitimacy of such an email before handing over any of their account details.
In this campaign, if you click the button to review your details you will be directed to a website owned by the attackers. You will be prompted for your login credentials, your bank account numbers and phone numbers. Having this much info could allow attackers to clone your phone SIM or gain access to your bank accounts.
If a client does make the mistake of filling in all their details to the end, they will see a message that their password is invalid and will be passed to the legitimate Stripe login page to try again, without their knowledge. The attackers hope that when the client is able to successfully log in on their second attempt – but first attempt at the legitimate website – they will be fooled into thinking they were on the legitimate site all along and will not be suspicious enough to start cancelling their cards and accounts or changing their login credentials.
Stripe has some helpful information to avoid phishing on their website for their users, and its advice that is worth bearing in mind for all potentially phishy emails. [ii]
- Hover over any buttons or URLs and check that the destination showing at the bottom of your browser is what you would expect. If it isn’t, do not click the link.
- Check that the sender’s email domain – the part of the email address after the ‘@’ symbol – matches what you would expect. In the case of Stripe, emails will only be sent from @stripe.com or @e.stripe.com.
- Only enter your credentials into a site when you are sure it is legitimate. Carefully check the domain for any typos, something like stirp.com in this case, and check that the padlock icon in your web browser is green or closed, depending on the browser you use.
- If in doubt, open a new browser window and type in the correct URL yourself rather than click any links, or call the company on their customer service phone number to double check your account standing rather than giving your details to a possibly phishy site.
If you need any help spotting phishing or understanding what to do if you think you’ve handed over your details to a phishing site please call our Cyber Helpline. Included in your membership and staffed by Cyber Security experts, the Cyber Helpline is able to provide high level advice on a variety of cyber topics, including spotting phishing and how to protect yourself and your company from being phished. As an FSB member you can call the Cyber Helpline on 03450 727 727 with your membership number (lines open 9am – 8pm Monday to Friday).