Caught In A Phishing Line – What We Do And How You Can Protect Yourself

We’re not going to beat around the bush – phishing sucks. It sucks to fall for a phishing attempt, and it sucks to have phishers pose as you. We can go on and on about how to protect yourself from phishing (and don’t worry, we will by the end of this post), but we stopped and thought – have we ever talked about how phishing happens from our perspective?

Nope.

Well, no better time like the present, right? Let’s get into it.

The first 48 – phishing edition

Phishing starts with well… the phishing. They send out the attempt, sometimes posing as us, sometimes as a long-lost relative who just got a massive sum of a money from an inheritance. Hopefully it lands in your spam folder, and you can happily delete it and move on with your day, but unfortunately the days of shitty phishing email attempts are gone. Phishing attempts can look surprisingly legit, so don’t beat yourself up if you fall for the scam, just learn from it for next time.

So, people start falling for the phishing attempt, then what? Let’s say you fall for a phishing attempt, and the phisher gets your credentials. The phisher at that point might start sending emails posing as you.

Those first 48 hours are the most important – if you don’t catch them then, you probably never will. When we find out that one of our customers’ has been compromised, we get to work right away. We have a lot of security in place to notice unusual activity, and once someone tips us off, we move forward with disabling the account to keep the phisher from causing more damage.

We tend to hear about phishing attacks on our customers fairly quickly via Twitter, our abuse email, or support tickets. While we have safeguards in place to protect your account, the second we hear that an account has had an unauthorized access and/or suspicious behavior, we start to crack down. “Cracking down” sounds way more hardcore than it is.

Cracking down can be split into two separate processes going on at the same time. First, we want to connect with hosting providers to help lessen the impact of the attack. We’ll request that the website that’s posing as someone else is taken offline to keep future potential victims from also being phished. On the other hand, we’ll keep an eye on all of our accounts for suspicious behavior and then flag them for review or disable them.

That sucks.

Yeah, we agree. It’s important to note here that while phishers might have unauthorized access to Mailgun accounts due to a phishing scam, our databases have not been compromised in any way.

Still, we want to protect your account from these bad actors. If we didn’t take down and disable those accounts, phishers could be using your account for phishing. That leads into a whole other can of worms like blocklisting, your deliverability taking a hit, massive credit card charges from phishers running up your bill, and your mailing list distrusting you. When given the two options, we pick disabling every time. It protects accounts from further damage, and we get to lock phishers out before they can spread their gross, nasty, scammy wings.

Not all hope is lost though. If you or another user have found that they’ve lost access to their Mailgun account, you can still get it back. Contacting our support team is the first step, and we’ll work with you to update your credentials from what they were when the phisher got a hold of them. You confirm with us that you are the person authorized to use the account, change your credentials, and update your API keys. From there, we unlock the account, and you can keep sending.

At this point, if you haven’t already set up 2FA, then now is the perfect time to do it. Extra security means fewer chances of getting locked out of your account.

Spotting phishers before the first 48

Phishing happens to everyone, even us. Phishers can send from anywhere and pose as us. Plus, they don’t have to send from Mailgun to pose as Mailgun. Phishing can be sent from anywhere. Some phishing attempts are obvious, but others are scary convincing. For example, we got a tweet last week alerting us to this phishing email.

It’s pretty good, but a few things give it away. To start, the sender is bogus. The phisher wants you to zero in on the “Mailgun Support” name and forget about the actual email address following it. But in case you don’t catch that, the body of the email also has a few dead giveaways. Spelling errors, weird content, old logos, and other slip-ups give away a phisher.

Conclusion

That’s a quick look at what we do when we find out about a phishing attempt sent through Mailgun and what to look for if you get one in your inbox. We’ll go into more details on how we fight phishers in a future post, so stay tuned! If you’re ever on the fence about whether or not an email from us is legit, contact us. It doesn’t hurt to check, and if it turns out it is a phishing attempt – we can act on our end.