SecureState Blog

Read SecureState's award winning blog.

Using a Website’s ‘contact us’ form to create a phishing attack in social engineering

We all have come across websites that have the forms that say “contact us”, “tell us what you think”, “please report the error”.  So what’s the big deal? These forms have been around forever, right?  The interesting part of these forms is that once they are submitted, someone has to look at what you sent. Once submitted, these forms generally come from a system, general email or sit in some database.  When the employee finally gets these messages, they are automatically put at ease, and become more trusting of the content.  If users who are explicitly taught not to click links in emails from people they don’t know still do it, employees whose job is to answer these messages don’t stand a chance.

These techniques are known as social engineering and/or phishing attacks, which is the art of manipulating people into performing actions or divulging confidential information.  These techniques are regularly and successfully used in attacks around the world.  Let’s take two attack scenarios:


Attack 1 – Spoofing an email –They might not fall for it

In the first attack, the attacker sends an email to  In the email the attacker says “Hi, I have run into a small problem with my order.  This page gives me an error “”.  While Jane may still click the link, the odds of success are less.  If the company trains its employees to be leery of emails they receive from the public, she may not even look at the email.


Attack 2 – Using the contact form to send the malicious email – Gotcha!

In the second attack, the attacker submits a form with the same email address and message.  However, when Jane receives the message it comes from the internal customer service email or appended to a list of her messages she has to investigate.  What happens here is Jane sees these emails every day and her natural instinct is to be more trusting.  She may even believe that the system itself wouldn’t send her a malicious message.


Why it works!

In the screenshot above, two messages contain malicious links, while the others are valid requests.  Jane would immediately think something was not right with the email from John Smith.  But because the system messages are familiar, she will be less critical of their content.  We see this also in other phishing attempts if the malicious email comes from someone we don’t know, most of us are immediately on guard.  Whereas, if a friend sends us a malicious email the odds of us getting infected increase exponentially.

Testing these forms is crucial in the overall security of your organization, ensuring your employees are trained to notice the difference between http:// and .  Attackers also know that including the company name in the attack URL also puts the victim at ease because of the familiarity of the URL.  Educating and testing your employees ensures your company takes the next steps to being more secure.