“Customer Complaint” May Get Your Attention
A spear phishing campaign is sending phony “customer complaints” that contain a link to a malicious website, according to Paul Ducklin at Naked Security. The phishing emails appear to come from a manager at the employee’s company, and ask the recipient about a customer complaint they received. The link in the email purports to lead to a PDF of the complaint on the employee, but leads to a page where the victim is tricked into downloading malware.
Ducklin adds that people are even more likely to click on the link if they work in a high-pressure environment.
“Worse, of course, is that junior staff in commonly outsourced jobs such as first-line support, where time pressure is always high, are the most likely to have been threatened with complaints by aggressive callers determined to get their way,” Ducklin writes. “And, let’s be perfectly honest, if you’ve ever worked in support, you’ll rarely ever have ‘reported yourself to management’ when a caller shouted at you and complained, unless the call was so aggressive or threatening that you wanted to ensure it was placed on the record for your own safety.”
Ducklin notes that in this case the sloppy appearance of the emails could tip off the recipient that the messages are fake.
“Never let yourself be pressured or threatened into acting in haste, because that’s exactly what the crooks are hoping you will do,” Ducklin says. “This scam is full of mistakes (spelling, grammar, incorrect web links, unlikely file downloads, digital signatures that simply don’t look right) that you would expect to notice on a good day, but could easily miss if you are acting in haste. But the signs are all there, even if you aren’t technical yourself, that this email simply doesn’t add up, and is fake.”
New-school security awareness training can enable your employees to recognize red flags associated with social engineering attacks.