Phishing By Setting Up The Phishing Message

I’m sure by now most of my readers have seen warning after warning about how phishers and hackers are taking advantage of our current situation. As more people find themselves working in odd situations, and with unfamiliar tools, they’re trying to get in and get us to let down our guard just a little bit. Case in point:

I was recently made aware of an email that was sent to someone I know. The email was sent to her work address, and appeared to be from the head of her organization with a relatively simple request. “Can you send me a number to text you some information?”

Doesn’t seem all that suspicious, does it? The immediate red flag it raised was that she had worked directly with this person for years and they’ve never communicated that way. He’s not big on texting.

That was it. That was the one obvious thing to question, which then got her to actually look at the email address, which wasn’t correct, rather it was something very similar to the correct email address, followed by gmail.com (i.e. Ron_Smith_abc_com@gmail.com instead of Ron_Smith@abc.com, which on a mobile device would not necessarily show up by default.)

So that was red-flag number two.

So I started thinking about what this message really was, considering similar email scams I’ve seen concocted by someone scraping law firm websites, sending emails supposedly from the Managing Partner, to new associates who maybe haven’t worked directly with that person much, with strange requests.

A couple of thoughts popped up

1. The email didn’t include a link, or ask for anything more than a phone number. It was not, in and of itself, an obvious attempt at phishing.
2. It did, however, request something a little out of the ordinary, but again, given the way companies are shutdown or working from home, different communication methods may not seem all that unusual right now.
3. If she had replied, she would be giving the phisher her phone number, again not really a huge risk by itself.
4. I suspect the actual phish would have come next. In a text message with a link, or some other attempt at getting her information.
5. That attempt would have a higher likelihood of success, because it eliminates the one big thing we teach people about phishing, be suspicious of unexpected messages. This one would be expected.

Thankfully, in this case, it was out of character enough that it caused her to pause and raised a red flag. Would that happen with your team?

Remember, they don’t need every attempt to work, just one of the hundreds they can send to your employees, and all it takes is one of them being distracted right now.

Follow these topics: Tech