This phishing e-mail landed in my work mailbox last week. This one was interesting as it was very professional and it was not obvious that it wasn’t the real thing. Here’s a snapshot of the e-mail itself:

Further, the PDF file was reasonably well formed:

Indicators that triggered the notion of a scam:

a)      I do not expect any shipment from DHL

b)      Address is a DHL UK address (real) but the copyright is DHL International GmbH, which is actually not the correct entity even for Germany.

c)       The PDF file is produced using a free converter tool not a professional publishing tool, and the logo is low-resolution raster graphics (not visible if not enlarged)

d)      The link “Here” leads to a non-DHL domain (odrillncm dot com) registered in 2015 to a user in Lagos, Nigeria… (found by a whois registry lookup)

Some quality signs:

a)      Address and phone numbers for DHL in the UK are authentic

b)      Good grammar and spelling, correct use of straplines, DHL corporate identity, etc.

c)       Name of rep “David Blair” – a semi-known British TV producer, and a common name, making it hard to verify authenticity by googling or searching on linkedIn/Facebook, etc.

The cues used to identify the scam are probably beyond “average office PC user” level, and this is most likely an identity theft attempt. This sort of phishing is also used to target ICS enviornments and this case is therefore interesting in that respect.