The real trick to any phishing scam is getting the victim to let their guard down. Every technique imaginable has been tried. But maybe the most effective one is the one that’s now being used in more phishing attacks: conversation hijacking.
Conversation hijacking is easy to understand but hard to prevent. Conversation hijacking starts out simply as a back-and-forth email exchange between you and somebody you know and trust, usually a business associate. And for a while, that’s all it is. But what you don’t realize is that the person you’re corresponding with had their email account compromised, and at the appropriate moment, the hacker who has been monitoring the conversation, will inject themselves into it but you’ll still think it’s the person you know. At that point, they can ask you to do anything and you’ll probably do it because you think you know who it is so you let your guard down.
According to an article on ZDNet, “Cyber criminals are leaning hard on this attack technique as a means of compromising businesses, according to new research from Barracuda Networks. Analysis of 500,000 emails showed that conversation hijacking rose by over 400% between July and November last year.”
Here’s the interesting thing about this attack. “The attackers won’t directly use the compromised account to send the malicious phishing message – because the user could notice that their outbox contains an email that they didn’t send.” What they do instead is a phishing technique called domain spoofing. They use an impersonated domain that looks almost exactly like the domain being used by the associate. “By using a real name and a real email thread, the attackers are hoping that the intended target won’t notice the domain is slightly different and that they’ll follow the request that’s coming from their supposed contact.”
To make sure you let your guard down, hackers are patient. “In some cases, it’s been known for conversation hijackers to communicate with their intended victims for weeks in order to ensure trust is built up.” And once you let your guard down like that, technology is the only thing that can protect you at that point. Technology that doesn’t trust anyone, or let its guard down, or fall for domain spoofing.
Many companies promote employee training as the solution to conversation hijacking, but it’s asking too much for employees to spot this type of spear phishing attack. You want to take this out of the hands of your employees and put it in the hands of technology designed specifically to prevent these types of attacks. Technology like that available from DuoCircle.
DuoCircle is email security service which stops every kind of phishing attack, including those based on domain name spoofing. And since it’s cloud-based, it requires no hardware, no software, no maintenance and sets up in 10 minutes.
Rather than trying to determine if or when an email conversation is no longer from someone you trust, let technology do it for you. And the best part is, it costs only pennies per user per month. Don’t wait.