Happy New Year and Happy Friday
Happy New Year! It's my hope that cyber attacks go down this year, but it already looks a tall order. According to a new study completed by Netscope, the rate at which workplace users clicked on phishing emails nearly tripled last year. Why? You can blame AI, spam fatigue or aliens but the reality is that the bad guys are simply getting more creative in delivering harder-to-detect phishing schemes.
For example, Fortinet just reported on how cybercriminals are using PayPal money requests to back-door into victim's accounts. Here's how it works:
1) You get a 100% legitimate request from PayPal to pay a pretty hefty sum of money, between $2,000-$3,000
2) When you click on the link, you are sent to a legitimate PayPal login page showing a request for payment and a link your PayPal account address with the address it was sent to (not where you received it).
In the example below, PayPal thinks it sent this request to Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com:
3) If you log in to see what is going on, the scammer’s account (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) gets linked to yours and voila - they have control and can start moving money.
The Takeaway
This account takeover technique is clever because it uses a loophole in the way Microsoft and PayPal operate. In this example, the scammer simply registers a MS365 test domain, which is free for three months, then creates a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails and sends that list a money request.
These new kind of "phishing" emails are being sent from trusted sources, legitimate email accounts that pass mailbox filtering rules. The email, the URLs, and everything else are perfectly valid and we're seeing more and more of this attack strategy from the bad guys.
The solution? Strengthening the human firewall—what you're doing right here by reading this and sharing it with a friend, family member or co-worker. I applaud you.
At an organization level, training is key. Every employee needs ongoing training on how to be aware and cautious of any unsolicited email, regardless of how genuine it may look and how to spot threats like this to keep themselves and your organization safe. Our CyberEdu security awareness training program may be able to help.
Stay safe out there.
-Attila
Reminder: The Riskara 360 Employee Security Risk Assessment is coming soon. It reveals the employee behaviors and habits that could be putting your organization in jeopardy and gives you a step-by-step plan to making critical improvements.
We're looking for feedback - click here to request early access.
New Friday Funnies
To read this Friday's joke, click here.
(yes... that's the joke... there's no link...)
What do you call a group of math and science geeks at a party?
Social Engineers.
Comments