Phish of the Week: Are You the Mark in History’s Most Successful Con?

It’s Not Like in the Movies –
The Harsh Reality of a Real-Life Con

Dirty Rotten Scoundrels. The Sting. Matchstick Men…

The list of amazing con movies runs long and we all have our favorites. Personally, I am partial to The Usual Suspects, an example of a great con movie that had us twisted up until the very end. We all love a good con in the movies, but in real life? Not so much. 

Whether it is reel or real life, “Authenticity” is at the core of a good con. And authenticity is at the core of how threat actors manipulate individuals and organizations by impersonating trusted business partners in brazen ways to get to malicious outcomes, financial or otherwise. 

By all measures, advanced Type 3 BEC phishing attacks seem well on their way to becoming one of the most successful cons in cybersecurity history; current FBI estimates indicate almost $26B in aggregate losses alone in BEC phishing attacks.

Get the Ebook

Now that’s a number that would make Keyser Soze extremely happy … that is, if he is real? 

Beyond Email Authentication & Gateways: How to Stop Financial Cybercrime in 2020

2020 is shaping up to be the perfect scenario for successful financial phishing. With an extended tax season and a massive remote workforce affected by COVID-19 uncertainty, bad actors have more exploitative material to trick your employees. 

In fact, there’s a new spike in information-gathering scams, credential theft campaigns and other financial phishing attacks , which: 

  • Bypass O365, Gmail, email gateways and sender authentication; 
  • Exploit real e-commerce sites, online tax services, banks and more to inflict damage

Learn from counter cyberintelligence and DoD expert, Juliette Cash, about how to stop these email-, web- and network-based attacks. Sign up for the on-demand SecurityWeek webinar here.

Watch the Webinar

“Don’t Shoot the Messenger,” says DMARC

We’re often asked, “Isn’t DMARC supposed to catch phish?”

To answer, consider the US Postal Service: the origin of packages from the Unabomber. 

Yes, the same US Postal Service is also the benevolent origin of birthday packages from Mom.

But like the Unabomber, bad actors use authentic messengers to deliver malicious contents. That is precisely why email authentication is insufficient at blocking socially-engineered phish that come from trusted sources (which they often do).

DMARC, DKIM and SPF don’t check what’s in your email “packages.”

View a short video explainer here

A Warning from the Treasury about
Taxpayer Email Scams

Stimulus checks are yet another coronavirus-triggered hacker opportunity. Intercepting and diverting funds, bad actors are successfully using the same financial phishing tactics we see in tax-related phish.

Read the Article

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!



Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.