This morning a TLS reader sent us a copy of an email he received, ostensibly from the Department of Labor (DOL). As I have written here many times before, this is a perfect example of an email phishing scam. Fortunately, the receiver became suspicious and did their due diligence to ascertain if the email was fake or not.
“Hi. I am sending pics of an email that I got today. The sender address was a valid Department of Labor address. They had my name and everything. It stated that my user ID was cancelled at my request and if I hadn’t cancelled it, I should click a link to request reactivation. When I clicked the link, the page with the DOL logo on top came up. I started entering my info but realized that the website was not a .gov website, but a random .office website. I called my IT guy who determined that the nj.dol.gov email address was spoofed. I wanted to share so that no one else who receives submits private info. BH, I deleted before submitting.”
The email is a typical scam where:
- The originator has a seemingly legitimate email address (from the NJ Department of Unemployment)
- The email uses the actual seal of the Department
- The click link to update the account does NOT belong to the DOL
The alleged sender’s email address is “spoofed”. That means you can make an email look like it was sent by someone else, as it was in this case:
Phishing emails will use official government or corporate logos to appear legitimate:
The link to update your account goes to an account with criminal intent to steal credentials, personal information or worse; Ransomware or Malware to infect your computer, tablet or phone.:
Note that the Top-Level Domain: (forms.office.com) is a legitimate Microsoft site to create and host customized Microsoft Forms. These forms can be filled out, by anyone receiving the link with the information on the form as desired by the creator to obtain the information they seek, and use that information in any manner they choose. That could be from selling your information to performing malicious actions against you.
Always observe the 3 items illustrated above. Never click on any link, no matter how legitimate it may seem. Call the company or agency and verify. Promptly delete the email.