Read on Twitter
Earlier today I asked you about these emails. Now let me explain why I did this and give you the answers. https://twitter.com/Queen_fennec/status/1355110715904942083
Let's start with the answers. Both emails were reported to my security team by our collegues as suspected phishing/malware. I did not make this up. They were both send to my organisation.
Remember the first email? This actually had a file attached that was supposed to be the presentation.
This, ladies and gentlemen, turned out to be Emotet.
The presentation they talk about was actually given to the commission by the recipient. Even the exact date was correct.
This, ladies and gentlemen, turned out to be Emotet.
The presentation they talk about was actually given to the commission by the recipient. Even the exact date was correct.
They spoofed the sending address. But I was stunned to find out this was not a targeted attack. Emotet, as it turns out, takes email conversations from the email account it infects and redistributes old email conversations while adding the malware as attachment.
This email was very clever. The only reason our employee did not fall for it, was because the presentation was 3 years ago and she never send the European Commision the actual slides. As you can see from the poll results, this is a tough one to call.
Now, for the second one. To be fair, I myself would have also called this a phish. There's really not much to go on here. We actually called the company that owns the platform in question to verify if this was send by them or not and.... it's genuine.
They have a supplier that sends out these automated emails from another domain that in no way resembles theirs. I have my doubts about how effective their password reset requests are when send this way.
The point I'm trying to make is that even for experts, it can be extremely difficult to spot if an email is real or not. Now, had I given you guys all the info, the polls might have been different, context is important. I realise that.
But I had all that and the second email still had me fooled.
So how, if even the experts have a hard time telling, can we expect our employees and collegues to be able to? Why do we insist on sending them fake phishing mails for "awareness" when we can fall for the actual thing
So how, if even the experts have a hard time telling, can we expect our employees and collegues to be able to? Why do we insist on sending them fake phishing mails for "awareness" when we can fall for the actual thing
I'm just trying to say: if the context is there and the phishing mail is good enough, we are all at risk.
Try to find ways to raise awareness without fake phishing and do everything in your power to make sure phishing never even reaches their inbox in the first place.
Thanks!
Try to find ways to raise awareness without fake phishing and do everything in your power to make sure phishing never even reaches their inbox in the first place.
Thanks!
