Simulated Phishing Email of March 2025 – “Finmal Account Reminder”

Author:Author Leo
Published: Posted on

Can you trust this page?
If you look in the address bar (at the top of this page) you will see that this page is on the blog.bham.ac.uk site. This tells you that the page is within the bham.ac.uk internet domain which is owned by the University of Birmingham. If you came to this page to confirm if a test phishing email really was a test, then also check that the image of the email below matches the email you were sent.

On Tuesday 18th March, IT Security sent a number of staff a simulated phishing email claiming to be
– From: Account Security at corp-password-mangemet.com
– Subject: FINMAL ACCOUNT REMINDER
– it pretended to be a warning that your E-mail would be suspended and your account will be closed
– unless you CLICK HERE TO VERIFY.

If you clicked on that link you were asked for your username and password. Those people who entered a username and password were taken to a page reassuring them this was a benign phishing simulation by IT Security. No passwords were collected or stored!

Why we did this
Our aim is not to penalise, embarrass or make anyone feel bad if they “fell for the scam”. You are not in any trouble because of this. No-one will be “named and shamed”. Your line manager will not be told. We think of this as serving the same purpose as an unannounced fire drill, to make people more aware of the most common way that criminals steal passwords.

Criminals usually have more experience in conning honest people, than honest people have in protecting themselves. We want to help you to protect yourself (and the University) by raising awareness of how easy it is to be lured into giving away your personal details and password by malicious emails that appear genuine.

This simulated phishing email is based on recent real-life phishing emails intercepted by our automated defences.

The email – with the suspicious parts marked in red

Screenshot of benign phishing email with four red highlights. 1 Misspelling of final as finmal. 2 the sender's fake name of corp-password-mangemet. 3 circling yellow caution that this email originated from outside the organisation. 4 hovering over the Open button shows it links to a fake address of corp-password-mangemet

This email is suspicious because:

  1. The University of Birmingham would not require you to verify your University account in this way.
  2. It claims to be about your University account but it comes from outside the University.
  3. It is threatening (to close your account) to rush you into unthought action.
  4. It refers to a non-existent previous email. Although emails are sometimes undelivered, missed or end up in your Spam/Junk folder.
  5. The logo doesn’t look quite right and there are spelling mistakes eg “finmal” instead of “final” and the brand name Outlook spelt with a lower case “O”. Although spelling and grammar mistakes are often an indication of spam or phishing, perfect spelling and grammar do not mean that it is a genuine email. Some scammers can write perfect English – with or without the help of AI tools such as Microsoft CoPilot or ChatGPT.
  6. It claims to be from corp-password-mangemet.com which is a fake domain pretending to be Microsoft Office 365.
  7. It asks for a username and password. Any email which links to a place where you are asked to give your username and password, should be treated with caution – you should pause, think and ask yourself:

Who is it really from?
Does the sending address match the alleged Sender?
In this case, the Sender’s email domain address is 
@corp-password-mangemet.com
not
@bham.ac.uk or microsoft.com
as you might expect if were really from the University of Birmingham or Microsoft

Where does the link take you?
You can reveal the full address:

  • on a computer, by hovering the mouse pointer over the link (without clicking on it!)
  • on a phone/tablet by a long press holding down on the link.

In this example, CLICK HERE TO VERIFY links to corp-password-mangemet.com which is not a University or Microsoft website.


You should always ask yourself the following:

  • was I expecting this email?
  • is the Sender known to me?
  • and was I expecting them to send such a message or (in some cases) share a file?

Fraudsters are very devious in using addresses which look similar to genuine ones. This page, from CalTech, shows you how to read URLs (web addresses) correctly to help you to avoid some of the dirty tricks used https://www.imss.caltech.edu/services/security/recommendations/how-to-read-urls

You can test your knowledge by identifying which of 10 emails are legitimate or phishing here https://www.phishingbox.com/phishing-iq-test/quiz.php

If you work or study at the University of Birmingham and have questions or comments about this phishing campaign then contact: itsecurity@contacts.bham.ac.uk

 

Leave a Reply

Your email address will not be published. Required fields are marked *