UNIT.City — місце, де люди працюють... КРАЩЕ! Обирай свій простір просто зараз 👉
Марія БровінськаThat's Life
9 March 2026, 15:43
2026-03-09
"Zvenyhor writes to you." How scammers use "creative phishing" in an attempt to obtain user data
We’re sure you’ve received it too. Letters about «expired SSL,» «urgent request from the SBU,» «immediate contract renewal,» or even that «everything will be blown up.» Some of them are so ridiculous that you can’t help but smile. Some are much more cunning and make you take a closer look.
Together with the De Novo cybersecurity service, we analyze the most common cases of phishing and «happiness letters» from creative scammers.
We’re sure you’ve received it too. Letters about «expired SSL,» «urgent request from the SBU,» «immediate contract renewal,» or even that «everything will be blown up.» Some of them are so ridiculous that you can’t help but smile. Some are much more cunning and make you take a closer look.
Together with the De Novo cybersecurity service, we analyze the most common cases of phishing and «happiness letters» from creative scammers.
Over the past few months, De Novo specialists have gathered their own collection of such «creatives.» In this article, we briefly analyze the most striking examples, show their typical signs and mistakes. And add comments from De Novo’s information security department on how to avoid becoming the hero of someone else’s script.
Content
«You don’t have much time! Save yourself!» Letters from «Ukrainian military»
One of the most aggressive phishing scenarios we have encountered is an attempt to shut down an office by directly threatening to carry out terrorist attacks. The attackers play on the most painful themes of war and personal despair. We have defined this type of phishing as «psychological terror disguised as personal tragedy.» We have received emails from senders with fictitious names who claim to be veterans who have lost everything. They use frighteningly detailed wording: «we have mined more than 1,000 civilian infrastructure facilities in 2 weeks, and today we will start blowing up administrative buildings.» The body of the email even includes a photo of an improvised explosive device, which should add weight to the message.
Among the authors of such phishing emails are characters with strange names. For example, we are writing to us by «Ukrainian» military men: Gremyslav, Zvenimir, Lyudislav, Zvenihor, Nemir, Evstafiy, Dobroslav and Boguslav. It seems that the spammers decided to add creativity — we appreciated the sense of humor, although their intentions were not at all humorous.
«I, Trutovsky Dobroslav Maksimovich, a citizen of Ukraine, a soldier who has been participating in hostilities since 2022, defending my Motherland.…….I found my like-minded people, and we made a decision to overthrow the government through terror, we have mined more than 1,000 civilian infrastructure facilities for 2 weeks, and today we will begin to blow up administrative buildings. I ask you to leave the building — it is mined, there is an explosive device weighing 5 kg in it. C4 explosive, you are an innocent person, if you do not want to die or remain disabled, like me and my colleagues, be smart, support the current government, do not even doubt, we will blow up your building. And no one will help you!!! Choose death in agony or support the military of the Armed Forces of Ukraine who suffered from the illegal actions of our government.
The above addresses will explode at 16:00, other addresses and your building will blow up at 15:50, if you don’t want to die, run, save yourself!!! I also mined the regional administration and several educational institutions!!! You don’t have much time!!! Save yourself!
Threats from «veteran» Dobroslav Trutovsky manipulate feelings of fear
The texts also mention specific addresses, from foreign embassies to schools and TV channels (although these addresses often do not always coincide with the actual location of the objects). Particular attention is paid to describing the danger in order to intimidate employees. For example, in one of the letters, the author described in detail the threat and the design of an improvised explosive device (IED). The purpose of such attacks is to create psychological pressure and an atmosphere of panic.
Interestingly, despite the «patriotic» or «protest» rhetoric, these letters often come from «exotic» (probably hacked) foreign domains — in our case, Japanese ones, which immediately gives away their true nature. Another sign of phishing is that the threatening letters that arrive at different mailboxes do not differ much in content. The wording is minimally changed. But this is only visible if you compare several letters that arrive at once at different mailboxes of employees.
«Good afternoon! Please provide…». Requests from state bodies or «requests from the SBU»
When «terror» fails, phishers change the vector, imitating requests from state structures. We have recorded letters sent allegedly from the «Central Directorate of the SBU». The attackers use a strict clerical style and direct demands, such as the following:
«I ask you to provide a list of documents by 05.11.2024. If you do not submit them, your organization will be suspended.» It is not specified how exactly the organization will be «suspended» and what this generally means. It is also suspicious that the recipient is indicated in general terms — it is not clear to whom the letter is specifically addressed. At the same time, the signature indicates the real addresses of the departments and contact numbers, which sometimes dulls vigilance.
Your organization will be stopped, well, not «suspended.» By the way, the incorrect address of the Central Security Service of Ukraine (SSU) was given.
The biggest danger here is hidden in the attached files. The letter is accompanied by an archive with the name «Request SBU.rar». The calculation here is that the employee will rush to open the attachment to familiarize himself with the documents. In fact, inside the archive, as a rule, there is malicious code that gives hackers access to the workstation. This is a classic example of targeted phishing (spear phishing), aimed at lawyers, accountants or top management, that is, people who are used to working with official correspondence.
«Your certificate has expired.» Imitation of service notifications
In parallel with the «loud» threats, a silent siege of technical staff continues through imitation of service notifications. In the cloud business, working with domains and SSL certificates is a daily routine, and this is where attackers set their traps. We received a series of phishing emails that mimic notifications from providers:
«Your certificate for denovo.com.ua.globalssl.org has expired» or «Hosting services for denovo.com.ua will expire on 22.10.2024.» The emails look professional. They include pricing tables, logos, and warnings.
«Renew» the contract, and… give your credentials to the hackers.
«Renew now» buttons can lead to fake payment pages, where the goal is to steal, for example, corporate accounts. The insidiousness of these attacks is that they come at times of high admin workload, when checking the sender address (for example, [email protected]) seems like a waste of time.
«Update urgently!». Internal mimicry and account hijacking
We have also received emails masquerading as internal system notifications from our own company. Attackers create mailings that at first glance look like standard messages from the IT department or mail server:
«Your password expires on 27.11.2025» or «You have 6 messages pending to your mailbox».
Using English in such notifications is a common practice in the IT environment, which helps the letters «dissolve» among hundreds of other messages.
Need to update something urgently? It’s better not to rush.
These phishing emails use tactics to create an artificial shortage of time, for example, they write about the urgency of actions:
«Pending emails will be deleted automatically from the system within a period of 12 hours».
The calculation is that an employee, frightened by the loss of important emails, will click on «Release Pending Mail», will be redirected to a fake email login form and will voluntarily give his username and password to hackers. Attackers are not so much looking for a breach in the cybersecurity system as they are counting on the weakened attention of employees. The best defense in this case remains a culture of healthy skepticism. If the «security unit» writes to you from the website of a Japanese parts store, and the «SBU» sends documents in .rar or .zip format, you must immediately notify the Information Security Department.
How to protect yourself from this? Comments and recommendations from the De Novo information security department
Recommendations provided by the information security department:
Don’t click on suspicious links in messages, instant messengers, or emails.
Do not enter personal or banking information on third-party sites;
Delete suspicious messages
Always check information only on official resources: website, application or call the phone number listed on the official website.
Also, do not open attachments contained in emails from unknown, suspicious senders.
If you have even the slightest suspicion or doubt, contact the Information Security Department for additional analysis.
However, as our experience shows, attackers often use legitimate resources to distribute malicious emails and download attachments with malicious code. In such cases, it is critical to train employees in basic technical analysis of emails — checking that the sender’s name matches his real address and examining links before clicking. The rule «hover over, but don’t click» should become an automatic reflex for everyone who works with mail. Particular attention should be paid to working with attachments, especially in archive or document formats that may contain macros, embedded objects, hyperlinks or links to other resources that allow downloading malicious software.
Here they directly warn you — do not click, do not open!
Letters with «requests from the SBU» containing archives or files to be executed are automatically checked by specialized email protection software before they reach the end user’s computer. We also do not exclude individual exceptions when the letter requires additional analysis by the information security department. In an optimal security structure, any attachments from external senders that the employee did not expect should be considered malicious a priori.
Finally, the most difficult but effective element of protection is the «right to doubt.» In most cases, employees make mistakes because they are afraid to let the company down or look incompetent by ignoring an «urgent request» from management or government agencies. Employees need to report any suspicious emails, even if they seem like a false alarm. At De Novo, we build a security system so that reporting a phishing email takes no more than a few minutes, and the information security department provides quick feedback.
Regular training, letters with explanations about possible spam mailings help staff remain vigilant and turn security theory into practical skills.
Amazon data centers in the UAE failed a real-world stress test after a drone attack. What conclusions should Ukrainian businesses draw — De Novo analysis
В день по 2-5 таких повідомлень приходить.