Update on the phishing email attempt to some Postmark customers

What happened, and what did we do? #

Yesterday (November 5, 2019) two phishing emails were sent to a broad list of email addresses that included both Postmark customers as well as non-customers. The first had the subject line “Your invoice (100421) with Postmark Service is due”. The second, cleverly sent after we put up an in-app notice about the attack, had the subject line “Warning ! email phishing attempt”.

Both of these emails included suspicious links to a mirror site where the attacker could steal usernames and passwords. We became aware of the attempt within minutes, and we immediately took several steps to mitigate it, including disabling logins on our site and working with the phishing site’s hosting company to get the mirror site taken down. We also sent an email to customers to warn them about the attempt.

How did it happen? #

The main question we received from customers is, how did the attackers get my email address? We want to be clear that Postmark’s customer data was not compromised. We are still investigating how the attackers collected these email addresses, but at this point, we’re reasonably certain that they used a combination of public email and DNS lookup services to put their list together.

Next steps #

This is also a good reminder to everyone to please set up 2-factor authentication for your account. That is the best way to protect yourself from a phishing attempt like this.

If you think you might have been affected by this attempt, or if you have any additional questions on how to protect your account, please get in touch with our support team.

We are meeting as a team over the next day or so to evaluate if there are additional steps we can take to prevent future attempts like this. In the next few weeks our CTO Chris Nagele will also write a more general, detailed post about how the attempt occurred, with additional information on how to mitigate similar attempts for your own apps.