Phishing Scams Becoming More Sophisticated
In a world where it seems very little is sacred and next to nothing can be trusted, protecting yourself against phishing scams just got tougher. The bad guys are becoming increasingly clever and the days of easily spotting a scam due to “bad Engrish” and bogus-looking emails are all but completely gone. Here’s the latest one you need to look out for – it goes something like this:
– Someone you know falls for a phishing scam and their credentials are compromised. The bad actor gains access to their email and the password gets changed so the victim no longer has any control.
– They rifle through past emails, and using the victim’s accounts, email signatures, corporate logos etc., send out specifically targeted emails to represent – as closely as possible – legitimate correspondence they have had with vendors, clients, partners, etc. Depending on just how much effort the perpetrator puts into his craft, the emails may be generic or may be laser focused.
– Regardless of how specific the email is, it ALWAYS includes a spreadsheet, PDF, or Word doc and if the thief has done his homework, it may actually include authentic invoice or order numbers. Remember, they have direct access to the victim’s emails so with a little effort, it is super easy to glean the information required to make this attack look extremely convincing.
Now, because these attacks originate from a legit email from a legit partner (or vendor etc.), they are very hard to spot – in some cases, near impossible. Granted, some attacks are still a result of a widely cast net and do have traces of poor grammar and spelling – a definite red flag – but others are indistinguishable from the real deal.
So – what to do?
I hope that some of the other blogs I have written on the subject of Phishing scams and general end-user safety (not to mention the wealth of other information sources available) have increased the level of vigilance in your organization. This can be a frustrating and dangerous situation. Nevertheless, here is the cardinal rule: Ask yourself a question – did I request the attachment? If not, double-check. Contact the sender (obviously, not by email), ask them if they sent it and if so, why. I will suggest you pick up the phone because it’s no stretch to assume if the victim has had their account compromised; the rest of their digital life is in serious doubt as well.
Beyond that, you can do little else. Are the extra steps a major time-burn and a royal pain in the posterior? Absolutely. However, nothing like the pain of getting hit with a phishing scam initiated crypto virus – ask anyone who’s lived through one.
…he said sarcastically. Roughly, half of those who actually pay to get their data back after a crypto attack, lose their money right alongside their data. Don’t do it. Do this instead: invest in better recovery and stronger security-culture strategies instead. Call us if you need help with either.