This is a targeted social engineering campaign. Did you not get training by your company’s security team on what well engineered, targeted social engineering attacks like this look like?
Always verify the authenticity of your comms. And certainly verify the address to which you’re sending (be it swift wire, IBAN, or a crypto public key) before sending a dime!
Our Head of Accounting got an e-mail to his private mail address with just a link to a Word document on some random OneDrive.
It contained an invoice over $4000 for “AI services”, payable via money transfer.
He sent it to the accounting department and told them to pay it.
Luckily, one of the accountants actually had a brain, and she forwarded it to IT.
Everyone gets yearly mandatory training. And every time you open Outlook, you get a reminder to stay vigilant, with a fun cartoon from the graphics department that changes daily to keep peoples’ attention.
Last year someone in the upper half of the food chain fell for a phishing mail. We nuked his account and recreated it with “p.lastname” instead of the usual scheme “peter.lastname” .
He had to inform all his contacts about his new e-mail address, and his coworkers called him pee-dot behind his back for a while.
After that, people got a lot more careful, it was better than any training.
But somehow, it’s usually upper management that’ll call the IT lead and demand to unblock a website RIGHT NOW because they need it, and when you check it out, it’s a phishing link.
I don’t understand why y’all are surprised.
This is a targeted social engineering campaign. Did you not get training by your company’s security team on what well engineered, targeted social engineering attacks like this look like?
Always verify the authenticity of your comms. And certainly verify the address to which you’re sending (be it swift wire, IBAN, or a crypto public key) before sending a dime!
Our Head of Accounting got an e-mail to his private mail address with just a link to a Word document on some random OneDrive.
It contained an invoice over $4000 for “AI services”, payable via money transfer.
He sent it to the accounting department and told them to pay it.
Luckily, one of the accountants actually had a brain, and she forwarded it to IT.
God. I hope they got a very stern lecture from their superiors and mandatory retraining from their security team.
Also their laptop should be wiped and rebuilt from opening a word document from “some random OneDrive”
As an IT professional, I would genuinely suggest blocking this individual from sending or receiving email from any non-business email domains.
No gmail, no yahoo, no zoho, no outlook, no protonmail, etc.
Everyone gets yearly mandatory training. And every time you open Outlook, you get a reminder to stay vigilant, with a fun cartoon from the graphics department that changes daily to keep peoples’ attention.
Last year someone in the upper half of the food chain fell for a phishing mail. We nuked his account and recreated it with “p.lastname” instead of the usual scheme “peter.lastname” .
He had to inform all his contacts about his new e-mail address, and his coworkers called him pee-dot behind his back for a while.
After that, people got a lot more careful, it was better than any training.
But somehow, it’s usually upper management that’ll call the IT lead and demand to unblock a website RIGHT NOW because they need it, and when you check it out, it’s a phishing link.
Time to fire upper management
Well yeah, those with power have the power to not listen to the skilled people below them