Oh boy. These guys just don’t stop; they’re coming up with new tricks to steal our data, left, right and center. The latest tactic is being called “clone phishing” by the security pros, and it’s genius. (Evil genius, of course. And rest assured I’m trying really, REALLY hard not to hyperlink that phrase to a certain self-proclaimed “Chief Twit”.) Anyway, here’s how it works.
Attack of the clones
First, the attackers gain access to an organization’s email system through an initial phishing expedition. Now, from within this hacked email account, they get ahold of a legitimate message that has been sent and clone it. Like a cloned website, the cloned phishing message looks practically identical to the original message. Right down to the sender’s name and logos (if it came from a business) or other images. Next, they resend this cloned message to the same recipient/s but claim to have forgotten to include a certain attachment or link. (Or say they sent the wrong attachment or link in their last message, in error.) You can likely guess the rest: The user clicks this new link and ends up at a cloned website where they are prompted to enter their personal data. Or opens the new attachment and has malware downloaded onto their computer. No bueno.
The one and only solution
Training. I’ll say it louder for the folks in the back: TRAINING! Intensive and regularly repeated cybersecurity training is the only way people know to be skeptical about everything they receive through email. I’ll be honest, this is such a clever trick that I can see myself, possibly the most skeptical of skeptics out there, falling for it. With the holidays upon us – my favorite time of year – I’m typically that glass-half-full, rose-colored-glasses kinda gal. But with news of this new hack, sigh, I need to get back to being my cynical old self and double (triple?) check every message I get for signs of phishing. You – and your staff – should do the same.