Don't 'reply to' phishing emails | ACMA


14 April, 2015 10:00 AM


Don't 'reply to' phishing emails

By Peter Watts

Man on laptop

The ACMA receives thousands of spam reports every day from members of the Australian public. Many of these are about ‘phishing’ emails, which deceive recipients into providing personal information that’s then used for illegal purposes. A common example is obtaining financial credentials to steal money from a bank account.

Phishing emails can range from messages that simply ask you to provide personal details by return email to those that include sophisticated forms designed to capture your private information.

The simplest email is the ‘reply to’ phish, which has been in circulation almost as long as email has been used. The fact that it continues to be widely used shows it must be a successful technique for fraudsters.

Most email users are familiar with phishing emails purporting to be from a financial institution that requests banking or other financial credentials. These emails often use emotive hooks such as threats to close a bank account unless security details are provided via an online form.

‘Reply to’ phishing generally uses a simpler approach. Instead of requesting financial credentials, they ask for what might appear at first glance to be more mundane and less harmful information, such as the username and password for an email account.

Large internet service providers (ISPs) in Australia are often targeted by ‘reply to’ phishing campaigns that use emails like this:

From: LargeISP Admin Center <>

Subject: Notice

This mail was send by LargeISP Admin Center to notify you that we have temporally prevented access to your account.

We have reasons to believe that your email account may have been accessed by someone else and it was for illegal activities. Please run this file and Follow instructions:

You are to send LargeISP Admin Center the information below otherwise we shall block this account permanently, you must reply to this email immediately and enter your details below.

User Name:
Reconfirm Password:

Note that if we do not receive your reply in the next 48hrs we shall deactivate this account.

Vivian Fung
LargeISP Admin Center Support Team

Copyright © LargeISP 2015 All Rights Reserved.

The only technical ‘skill’ deployed in this email is the faking or spoofing of the <> email address. If you respond to this email, it won’t go to this email address but to an unrelated address, usually obtained from a free email provider.

The strategy behind most ‘reply to’ phishes is simple. The phish makes it seem like you need to reply urgently, in the hope you won’t notice that your reply email is bound for an email address not legitimately associated with the email’s subject matter.

These types of phishing campaigns depend on a lack of attention. A closer inspection of many (but not all) shows grammatical, spelling and other errors that indicate the email isn’t a legitimate communication from the organisation it claims to represent.

Why are phishers after email credentials?

Email account credential details are becoming increasingly valuable because they provide access to personal and financial information. Email accounts are often linked to other email and internet-based accounts containing a potential treasure trove of information for fraudsters—such as copies of bank statements, insurance and other financial or personal correspondence.

Fraudsters can also use your email accounts for:

  • sending spam, disseminating malware and undertaking phishing campaigns—an email sent from a legitimate account has a far greater chance of reaching other intended victims
  • initiating ‘daisy chain’ scams—once the fraudster gains access to your email account, emails sent from that account can be used to fool your friends and acquaintances with other scams
  • resetting passwords on your other internet accounts, as many password reset systems are linked to email accounts
  • extorting you—by using sensitive personal information contained in your account.

How can you protect yourself?

  • Use your common sense and be aware—no reputable ISP or email service supplier will ever ask you to send your username and password via email.
  • Check the destination of an email address before replying to that email.
  • Use two-factor authentication on your accounts where this is available. If your username and password are exposed, you’ll still be protected by the other ‘factor’.
  • Check out Stay Smart Online website for further tips.

Subscribe to the ACMA's Cybersecurity news for the latest cybersecurity trends and updates from the Australian Internet Security Initiative, with a focus on malware and botnet activities.