Fake eFax Messages: A New Spin on an Old Phishing Trick

In July 2019, security researchers announced the discovery of a phishing scam that involved fake eFax messages. For years hackers have gone phishing using fake eFax messages, but this latest campaign caught the researchers’ attention. They found that it has a new spin. It infects victims with two different types of malware — a banking trojan and a remote access tool.

How the Scam Works

This latest phishing scam begins like its predecessors. Recipients receive an email supposedly from eFax. This fake eFax message tells the recipients they have received a fax. To view it, all they need to do is download the attached ZIP file and open the file inside it with Microsoft Word. However, the ZIP file actually contains a Microsoft Excel spreadsheet instead of a Word document. The spreadsheet contains a malicious macro — a series of commands that the hackers put together for nefarious purposes.

If the recipients open the spreadsheet and enable the macro, the commands initiate a process that results in a banking trojan AND a Remote Manipulator System Remote Access Tool (RMS RAT) being installed on their computers. The banking trojan is designed to steal bank account credentials, while RMS RAT lets the hackers remotely access and manipulate the victims’ computers. For example, they can transfer files, log keystrokes, and tamper with Windows Task Manager and other system utilities.

Having both types of malware installed lets hackers wreak twice as much havoc. It also gives them a backup communication channel in the event that one of the malware programs is detected and removed, according to researchers.

How to Protect Your Business

There are multiple measures you can take to protect your company against this type of attack. For starters, you can train employees on how to spot phishing emails. In this instance, there were several red flags. Although the message sported the official eFax logo, it included spelling and grammar errors. Plus, the message said to open the attached file with Word when it was an Excel spreadsheet.

During the training on how to spot phishing emails, it is important to let employees know they should not open attachments from unknown senders. In this case, a much safer alternative is for employees to view their faxes from the eFax website.

Another measure you can take to protect your company is to configure Excel and Word so that employees cannot enable macros. Macros are automatically disabled by default, but users are notified this has occurred and are given the option to enable them. You can change the macro setting so that macros are automatically disabled without any notification. That way, employees will not get a notification or the option to enable them. Alternatively, if your company uses digitally signed macros, you can select the option that disables all macros except those that are digitally signed.


There are additional measures you can take to defend against banking trojans, remote access tools, and other types of malware.  Security Training is offered as part of PC Corp Managed Services.

Talk to us about developing a comprehensive security strategy for your business. We make I.T. easy.

Small Business