Skip to Content

New phishing scam uses PDF attachments to trick you into clicking

Phishing scams are a favorite of the cybercriminal. This is when the scammer sends an email pretending to be from a legitimate organization in an attempt to steal your personal data.

These types of attacks can be a very effective tool for fraudsters, especially in tricking the untrained eye. Take our phishing IQ test to see if you can spot a fake email. Now, there’s a new phishing attack going around that you need to know about.

This latest phishing scam uses a PDF attachment to try and steal your email credentials. Internet security monitor, SANS Internet Storm Center, said the email comes with the subject line “Assesment document.” The email contains a PDF attachment that is supposedly locked and you need to type in your email address and password to unlock it.

This is what it looks like:


source: SANS Internet Storm Center

SANS researcher John Bambenek told Threatpost, “This is an untargeted phishing campaign. They are not going after the most sophisticated users. They are going after Joe Cubicle that may not think twice about entering credentials to unlock a PDF.”

Bambenek also said, “It doesn’t matter what email address or password you input into the fake unlocking mechanism. The document is opened and anything you input is transmitted to the spammer.”

The fraudulent email claims to be from VetMeds. However, when you open it, the PDF suggests it’s a SWIFT banking transaction.

At this time we don’t know how widespread this scam is. SANS does say that it has received a number of examples from around the country over the past week.

There are things you can do to avoid falling victim of a phishing scam. Here are some ideas:

Avoiding phishing scams

  • Encrypted PDF documents  PDF docs are never locked in the way this scam purports to be. You should never have to enter your email password to open a PDF document.
  • Be cautious with links – If you get an email or notification from a site that you find suspicious, don’t click on its links. It’s better to type the website’s address directly into a browser than clicking on a link. Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.
  • Do an online search – If you get a notification about something that seems suspicious, do an online search on the topic. If it’s a scam, there are probably people online complaining about it and you can find more information.
  • Watch for typos – Phishing scams are infamous for having typos. If you receive an email or notification from a reputable company, it should not contain typos.
  • Use multi-level authentication – When available, you should be using multi-level authentication. This is when you have at least two forms of verification, such as a password and a security question before you log into any sensitive accounts.
  • Have strong security software – Having strong protection on your family’s gadgets is very important. The best defense against digital threats is strong security software

More stories you can’t miss:

A traveler’s guide to taking a smartphone abroad

News report triggers Alexa to make unauthorized purchases

Best iOS 10.2 hidden tips and tricks

Ambassador Program background

Refer friends, earn rewards!

Why not share your new source of digital-lifestyle news, tips and advice with others? When your friends and family subscribe to Kim's free newsletters, you earn points toward awesome rewards!

Get Rewarded