Scammers have come up with many ways to trick employees into unwittingly doing their bidding. I will give two examples in this post. The simplicity of one allows it to bypass email filters and cause recipients to act with little effort on the criminal’s part. It isn’t really an attack, but a precursor to an attack that identifies promising targets. The other adds a new twist to an old impersonation scam.
Phishing with bait
In order to identify valid email addresses, scammers are sending emails with little or no content in the message body. Sometimes these “bait” messages just have the word “hi” in the subject line and no content in the body at all. If the bad actors receive auto replies letting them know that the recipients’ addresses are not valid, they move on. If they receive no response, an address is likely good and they can follow up with more substantive phishing emails.
In some instances, the scammers get more help from recipients than they may have expected. Some recipients apparently can’t resist the urge to reply to an email that says nothing, perhaps asking the sender how they can be of help. Scammers now not only know that the email address is valid, but also that the person on the other end is probably going to be more vulnerable to an attack than the average target.
Because these emails have no attachments, include no links, and don’t really say anything, they often sail past email filters.
If you received an email from a manager at your workplace indicating that a customer had filed a complaint against you and instructing you to click a link to download a copy, what would you do? If the message was well-written and looked authentic at first glance, would you click the link and start the download? If so, you might be downloading malware.
Those who work in customer service, in high-pressure jobs, or in jobs that focus heavily on customer satisfaction are likely more susceptible to this impersonation scam than others. If they feel that their jobs could be at risk, getting an email that appears to be from the boss about a complaint filed against them could cause them to immediately click the link and download the malicious payload.
This is a good idea on the scammers’ part, but messages found so far haven’t been that convincing. According to an article posted to nakedsecurity.sophos.com, customer complaint impersonation messages seen in the wild have been sloppily written. But being that this is a good idea, criminals with better writing skills will likely adopt and refine this tactic soon.
Among other possibilities, these messages could be used to deliver ransomware. If deployed, that might end up costing an organization a huge amount of money and would likely have a far greater negative impact on the email recipient’s career than an actual customer complaint.
Because these emails include links and spoofed sender information, they are more likely to be filtered out before they reach their intended recipients. Some, however, will make it through. Not even the best filters are 100% effective at blocking potentially malicious emails.
The best defense
Once again, cyber criminals have many ways to target employees and cause them to unwittingly assist in the perpetration of their scams. As with any social engineering attack vector, user training is the best defense against these new tactics. Staffers should be trained to recognize scams like these and how to determine whether a sender’s information has been spoofed. Training should be ongoing and updated when needed to include new threats like these as they emerge. Procedures should also be in place for employees to follow should they receive suspicious messages or phone calls.