Phish of the Week: Are You the Mark in History’s Most Successful Con?

It’s Not Like in the Movies –
The Harsh Reality of a Real-Life Con

Dirty Rotten Scoundrels. The Sting. Matchstick Men…

The list of amazing con movies runs long and we all have our favorites. Personally, I am partial to The Usual Suspects, an example of a great con movie that had us twisted up until the very end. We all love a good con in the movies, but in real life? Not so much. 

Whether it is reel or real life, “Authenticity” is at the core of a good con. And authenticity is at the core of how threat actors manipulate individuals and organizations by impersonating trusted business partners in brazen ways to get to malicious outcomes, financial or otherwise. 

By all measures, advanced Type 3 BEC phishing attacks seem well on their way to becoming one of the most successful cons in cybersecurity history; current FBI estimates indicate almost $26B in aggregate losses alone in BEC phishing attacks.

Get the Ebook

Now that’s a number that would make Keyser Soze extremely happy … that is, if he is real? 

Beyond Email Authentication & Gateways: How to Stop Financial Cybercrime in 2020

2020 is shaping up to be the perfect scenario for successful financial phishing. With an extended tax season and a massive remote workforce affected by COVID-19 uncertainty, bad actors have more exploitative material to trick your employees. 

In fact, there’s a new spike in information-gathering scams, credential theft campaigns and other financial phishing attacks , which: 

  • Bypass O365, Gmail, email gateways and sender authentication; 
  • Exploit real e-commerce sites, online tax services, banks and more to inflict damage

Learn from counter cyberintelligence and DoD expert, Juliette Cash, about how to stop these email-, web- and network-based attacks. Sign up for the on-demand SecurityWeek webinar here.

Watch the Webinar

“Don’t Shoot the Messenger,” says DMARC

We’re often asked, “Isn’t DMARC supposed to catch phish?”

To answer, consider the US Postal Service: the origin of packages from the Unabomber. 

Yes, the same US Postal Service is also the benevolent origin of birthday packages from Mom.

But like the Unabomber, bad actors use authentic messengers to deliver malicious contents. That is precisely why email authentication is insufficient at blocking socially-engineered phish that come from trusted sources (which they often do).

DMARC, DKIM and SPF don’t check what’s in your email “packages.”

View a short video explainer here


A Warning from the Treasury about
Taxpayer Email Scams

Stimulus checks are yet another coronavirus-triggered hacker opportunity. Intercepting and diverting funds, bad actors are successfully using the same financial phishing tactics we see in tax-related phish.

Read the Article

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

Shalabh

Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.

Area 1 Security Announces the Most Spoofed Brand of 2021

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

2022 March Hackness: The Return of the Phishing Bracket

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.