When you think of phishing attacks, you think about some hacker directly sending you a malicious email with the hope that you’ll trust them and click on a link or download a file. But, people are getting wise to phishing emails, because there’s plenty of phishing awareness training out there.
The bottom line is, people have their radar up now for phishing emails and it takes a lot for them to let their guard down. Of course hackers know this, so, unfortunately, they’ve upped their game too.
The key to an effective phishing attack is believability, and there’s nothing more believable than an ongoing email reply chain. It’s called conversation-hijacking and according to ZDNet, conversation hijacking occurs when “hackers infiltrate intimate email threads between people, and use highly-customized phishing techniques to make it look as if the victim is the one sending messages back and forth.”
“Rather than having to start brand new email threads in an effort to lure in victims, the attackers can use the trusted accounts to reply back to ongoing and previous legitimate conversations.” In other words, what starts out as a safe email between trusted parties suddenly turns dangerous. In case you’re wondering, this type of attack is on the rise.
According to Help Net Security, “The criminals behind these campaigns take their time breaking into email accounts, watching business conversations, negotiations, and transactions. At the opportune time, they launch their attacks at plausible moments when the recipient’s guard is down. The whole conversation looks entirely legitimate, with the correct logos, email addresses and even tone of voice.”
The only thing I know for sure is that all the phishing awareness training in the world will not protect you from this kind of attack. After all, the purpose of phishing awareness training is to teach you to keep your guard up. Conversation hijacking is used to totally defeat that by getting you to let your guard down.
There’s only one way to protect yourself from this type of attack. Use technology that never lets its guard down no matter where in the email reply chain the attack occurs. Email protection that scans for malicious attachments and checks embedded links in real time. Email protection that prevents domain name spoofing AND display name spoofing. And email protection that not only scans the email, but the linked-to website also.
There used to be a time when all you had to do was mistrust email from someone you didn’t know. That time is gone. Now you have to mistrust every email, from your friends and business associates. If you want to relieve yourself of the burden of trying to figure out which emails are and aren’t threatening, try PhishProtection risk free for 30 days.