Remember the good old days when it was pretty easy to recognize a phishing attack? Who couldn’t determine that an email asking for verification of one’s banking credentials was a fake after seeing that it was from the wrong bank? Those are so 2017. It’s different now. The phishers have upped their game and we all need to be ever more meticulous in our efforts to avoid becoming a victim of a phishing attack. Here is just one example of how these types of attacks are evolving.
Instead of simply sending out mass emails to individuals hoping to trick a few poor souls into verifying their login credentials to some account, cybercriminals are now starting to pretend to be a potential new client of, let’s say, a tax professional. The cybercriminals send email to a few tax professionals inquiring about his or her services. Once one of these tax professionals responds, a second email, which contains a malicious payload, will be sent back to the tax professional. If the tax professional takes the bait, the malicious payload will allow the cybercriminal to completely take over the tax professional’s computer giving complete access to the client contact database. This is where it gets interesting.
The cybercriminal now has the ability to send out very legitimate looking emails to all of the tax professional’s clients in order to try and obtain their financial records and that’s exactly what happens. Any client who responds will eventually learn that a fake tax return was filed in their name using the illegally obtained information. Trust me on this one, the subsequent headaches are just getting started.
So, what to do? Stay vigilant and, I’ll say it again, become ever more meticulous in your efforts to identify phishing attacks. For example, if an email is unexpected even though it appears to come from a known and trusted source, stop. Pick up the phone and call this person to make certain they actually sent it. Also, don’t trust that any phone number provided in the email is accurate. It may not be. Look it up yourself. If you must send tax or financial information via email, never hit reply and attach documents. Type out the correct email address on your own, triple verify that the address of the recipient is correct, and make sure you encrypt the attachments if not the entire email.
That said, if you ask me, it’s only a matter of time before the cybercriminals start pretending to be potential clients of lawyers, if they haven’t already. All I can say about this possibility is verify before you trust and make sure that all tech hardware and software is current in terms of patches and updates.