Ah yes, “smart people don’t get scammed, you’re smart aren’t you?”
Very smarmy line of thinking. Unfortunately on the rise in recent years. We are all vulnerable to scams and victim blaming doesn’t help the conversation any.
It irks me that this is the bulk of what we're taught of phishing training - just to look for the obvious mistakes.
We've been seeing a rise in attacks that are launched from compromised accounts, where the email is a reply to a previous thread. So you have the context, name and address of someone you're presumably already familiar with. The last one I looked at had the body "What do you think of this?", their signature was missing, and the payload was a html file that delivered a passworded zip via a data: blob, and the password was in the html file. "for security".
The attachment was the only real tell. Also noticed the sending server was in the wrong country, but since the thread they were replying to had to come from compromised access, I wouldn't trust that either. If the attachment was an office doc, the payload would have been delivered before I heard anything about it.
It's not quite spear-phishing (you're still a target of opportunity rather than a selected target), but it's effective and convincing. But trainings haven't got much past the nigerian princes yet.
We've been seeing a rise in attacks that are launched from compromised accounts, where the email is a reply to a previous thread. So you have the context, name and address of someone you're presumably already familiar with. The last one I looked at had the body "What do you think of this?", their signature was missing, and the payload was a html file that delivered a passworded zip via a data: blob, and the password was in the html file. "for security".
The attachment was the only real tell. Also noticed the sending server was in the wrong country, but since the thread they were replying to had to come from compromised access, I wouldn't trust that either. If the attachment was an office doc, the payload would have been delivered before I heard anything about it.
It's not quite spear-phishing (you're still a target of opportunity rather than a selected target), but it's effective and convincing. But trainings haven't got much past the nigerian princes yet.