Who are you trying to April Fool with that email scam?

The Detection team here at Sublime sees some of the worst email scams. Scams that take advantage of a target’s innate goodness, requesting charitable donations or asking for help after a disaster. Scams that take advantage of economic need, tricking people into clicking links in the hopes of a new job or a much needed bonus. And the scams we loathe the most, the ones using fear as a motivator, like invites to fake termination meetings and extortion messages that include images of your home pulled from Google Street View.

But we also get to see a different kind of “worst” email scams.

We get to see the scams that are so poorly crafted that even we have to laugh through the malicious intent. This April Fools’ Day, we present to you some of our favorite “worsts” from the past year.

Illumi-naughty!

While the Detection team can neither confirm nor deny the existence of the Illuminati (you know, the organization that secretly controls the world), we’re pretty sure they wouldn’t be using Yahoo Mail or Gmail for recruitment.

Keanu Reeves, the bassist for Dogstar

Celebrity impersonations are a common scam tactic, but generally, they don’t involve focusing on a celeb’s lesser known accomplishments (or use their full, non-SAG name).

You don’t have to be in it to win it

We’re not sure why the largest social media network would resort to starting a lottery to attract new users (or how they managed to get HSBC involved), but then we have no idea how much money Meta has spent on the Metaverse.

Generally speaking, Americans don’t pay other Americans in Euros… and lottery winners don’t randomly give away millions to strangers.

A thesaurus in the wrong hands…

Sending an ATM card by shipping container seems pretty inefficient, but if you’re going to do it, make sure you pick it up in a reasonable amount of time.

Don’t peek at these Looks

While Google Looker Studio service abuse is not a laughing matter, we do tip our hat to clever wordplay. Also, we definitely had to crop out the bottom of this email.

Go big or go home

This one was sent to a recipient list as big as the logos that were embedded.

Ok, this one got us

Do we want to open a suspicious message? No. Do we want to review the employee handbook? No. But do we want FREEEEEE FOOD!!!? Yes…

Don’t be April Fooled by a scammer this year

These are all funny examples, but most of the scams we see aren’t funny at all. Attacks are getting more sophisticated every day thanks to new tools and techniques:

• AI/LLMs: Attackers can use free and low cost AI tools to learn about their targets and then rapidly generate highly-targeted spear phishing attacks at a never before seen speed and scale.
• Phishing kits/Phishing as a service (PhaaS): Kits and PhaaS offerings (ex: Tycoon 2FA) help bad actors create and deploy large scale phishing campaigns with a low level of effort at an affordable rate.

These advancements have helped bad actors attack, iterate, and evolve at a velocity that exceeds the capabilities of default and traditional email security systems. Because of this, the most effective email security platforms are adaptive, using AI and machine learning to stay ahead of the latest tactics and techniques deployed by bad actors.

If you enjoyed these examples, check out our regular Attack Spotlights. While not funny, we think you’ll find them interesting and informative. Here are some recent posts:

• Microsoft OAuth URL used as redirect to AITM credential phishing site
• Seeing both sides of a service abuse financial fraud using YOPmail disposable messages
• Base64-encoding an SVG attack within an iframe and hiding it all in an EML attachment

‍