Aug 12, 2016

Canada Post warns of Phishing Scam , but Leaves the Door Open to Phishers

The official postal service of Canada recently warned customers to be on the lookout for bogus emails that could trick them into clicking on a malicious link.

These faked emails appear to come from Canada Post, and include a link to check on the shipping status of an order. If customers receive such emails, Canada Post says not to click on any of the links.

“We wish to remind customers to not click on any links or open documents. These fraudulent messages … may contain viruses,” the warning read.

Instead, customers should visit to check the status of any shipments they’re expecting.

Unfortunately, the phishing scam takes advantage of two weaknesses in Internet email. One is that it’s possible to put a fake name in the “From” field, and that’s what the scammers appear to have done, using “Canada Post service” as the sender’s name.

A closer look at the screenshot of the email reveals that the sender’s email address is shown as coming from, which belongs to an insurance company based in Ontario. That should be a giveaway that the email isn’t legit — assuming anyone bothers to look at the email address.

The second weakness is that, for many senders, there’s no way to tell whether an email address really does come from their domain. While the vast majority of consumer email providers can detect the authentication status of incoming emails, only senders who have enabled email authentication can take advantage of that.

Unfortunately, the Canada Post domain has email authentication set up, but it’s not enforcing it, as Valimail’s domain checker reveals. That means faked emails with the domain in their “From” fields won’t be rejected by email services that are checking for authentication.

And for, email authentication is not in effect at all — which is probably why the scammers chose to use it: There’s no chance that emails pretending to be from that domain would get rejected. Any email sent from that domain will get through, even to email providers that check for authentication.

Now imagine that Canada Post and Western Assurance had both configured email authentication for their domains, using the DMARCDKIM, and SPF standards, and had set them to reject non-authenticated messages.

In that case, email providers like Google, AOL, and Yahoo would all check the authentication of any incoming messages sent using those domains in their return addresses. If the emails weren’t sent by a legitimate, authorized user of the corresponding domain, the receiving email server would reject it. These phishing emails would not get through, no customers would be at risk, and Canada Post would not have to send a warning to its customers.

To learn more about how authentication can protect your email and your brand, contact us at

Subscribe to our newsletter