Email: “Hi, this is IT. It looks like your password is expired. Please change your password by clicking this link. Ignore the weird from address and the fact that the link obviously goes to a noncompany website. We’re really from your IT department. Promise!”
Way too many users: “Yup. This looks legit. Better coick that link and enter all of my information right now!”
“Hi Karen , this is HR. You can now log anonymous complaints about IT, by logging into this external website with your company credentials. We provide this for your security because IT is able to monitor in network communication.”
You guys are killing me! I know so many people who get their Facebook profiles hacked like this. It just cracks me up because it seems silly to fall for. It always looks wrong and the address is ridiculous.
on some level, scammers are deliberating targeting the easiest marks. If you send out millions of phishing emails, you’re looking to catch a dozen or so of the least tech savvy people you can.
And it’s a cheap net to use. If I were to lose all sense of morals, I could buy a list of 1 million emails for very little money. Crafting and sending an email to each of those emails would essentially be free. (There’s some cost involved, but it would be very low.)
If I got a 1/100th of 1% reply rate, that’s 100 victims. Get $1,000 from each of them and you’ve got yourself a tidy profit.
Thankfully, there are spam filters and other technologies that can reduce the success rate, but it’s so cheap to send all those emails that pretty much any success can result in profit. And as long as it is profitable, spammers will keep sending out their messages.
A lot of companies now configure their email security software to prepend a “this email came from an external source. Be careful!” notice to all emails that come from outside the company, to try and avoid issues like this.
My company does this. They also have an outside agency regularly send fake phishing emails to everyone. Invariably, some people always fall for it no matter how much education is done. At least, when they fall for the fake phishing emails, though, my company can gauge just how much education is needed to prevent real phishing attempts from succeeding.
read: Cheryl in accounting typed her credentials into a random form.
Email: “Hi, this is IT. It looks like your password is expired. Please change your password by clicking this link. Ignore the weird from address and the fact that the link obviously goes to a noncompany website. We’re really from your IT department. Promise!”
Way too many users: “Yup. This looks legit. Better coick that link and enter all of my information right now!”
“Hi Karen , this is HR. You can now log anonymous complaints about IT, by logging into this external website with your company credentials. We provide this for your security because IT is able to monitor in network communication.”
You guys are killing me! I know so many people who get their Facebook profiles hacked like this. It just cracks me up because it seems silly to fall for. It always looks wrong and the address is ridiculous.
on some level, scammers are deliberating targeting the easiest marks. If you send out millions of phishing emails, you’re looking to catch a dozen or so of the least tech savvy people you can.
That’s true cast, a big net I guess.
And it’s a cheap net to use. If I were to lose all sense of morals, I could buy a list of 1 million emails for very little money. Crafting and sending an email to each of those emails would essentially be free. (There’s some cost involved, but it would be very low.)
If I got a 1/100th of 1% reply rate, that’s 100 victims. Get $1,000 from each of them and you’ve got yourself a tidy profit.
Thankfully, there are spam filters and other technologies that can reduce the success rate, but it’s so cheap to send all those emails that pretty much any success can result in profit. And as long as it is profitable, spammers will keep sending out their messages.
There are legitimate third party services for company to receive anonymous ethics complains, or to poll employees pseudo-anonymously.
If done well it’s not using the company credentials.
But it would indeed a sneaky way to fish employees.
Legitimate? Anything like that is at least one of two kinds of painfully obvious trap, namely:
A lot of companies now configure their email security software to prepend a “this email came from an external source. Be careful!” notice to all emails that come from outside the company, to try and avoid issues like this.
My company does this. They also have an outside agency regularly send fake phishing emails to everyone. Invariably, some people always fall for it no matter how much education is done. At least, when they fall for the fake phishing emails, though, my company can gauge just how much education is needed to prevent real phishing attempts from succeeding.