Make no mistake — phishing attackers are getting smarter all the time. Well, some of them, at least. We still see the poorly written phishing emails but those are easy to filter out. But SC Media has heard of cases where attackers have created long, fake email chains where the attacker pretends to be a company employee where they request money to be transferred or documents to be sent. They have fake email exchanges with senior executives or other corporate managers, then they go for the big ask.
For example, an attacker might send an email to someone in finance or human resources and, using the fake email chain as evidence of a non-existent conversations, try to convince the legitimate employee to take an action. In one scenario, the fake emails might be a request to transfer funds to a new bank account for a “customer.” The chain includes the new banking info, along with a request to the CFO to approve the new account. The fake CFO responds that the change is approved and the sender should contact the person responsible for the wire transfer. Here’s “proof,” the phisher says, that the request was approved.
In other cases, phishers pretend to be technical support personnel who have detailed knowledge about specific employees based on the information the employees have put out to the public through social media and other posts. The phishers then call the target on the phone and discuss an “urgent” issue, such as a patch for software due to malware being installed on other employees’ systems.
Since many users today are aware they should not install software that they are not expecting, nor install software from unknown sources, they would not install something that simply comes in through their email. But is it different when a tech support person calls and tells the target they are about to send over a patch that needs to be installed locally? Now the user is expecting the software from an apparently trusted source. Even the email that contains the “patch” appears to be internal with the appropriate logos and format.
Some phishers are indeed getting smarter and their attack methods are becoming more interactive and believable. Having an email chain with a corporate officer or a phone call from a supposed internal help desk tech can overcome many objections. Today, we not only need to recognize the obvious phishing attacks, but be aware that not every email or phone call is what it appears to be.
In fact, today’s successful phishing attacks might not even include a malicious payload. As noted, research from a variety of sources tell us that today’s attackers are getting better at pretending to be someone you already know in order to entice you take an action, be it installing software, providing credentials, or in some cases, simply visiting their web site – no physical malware touches your system.
These clever attackers entice users to give up their credentials and data with a simile on their face. Don’t fall for it. If you receive a request that might seem even a bit unusual, pick up a phone and call the person making the request if they purport to be a colleague. Confirming identities and requests is not an imposition today; it’s part of the standard way of doing business. Failure to follow appropriate procedures could end up costing the company a lot of money — and potentially the employee their job.