IT personnel working the trenches in the fight against malicious emails know that financial transactions — and the various documents that support and accompany those transactions — provide malicious actors seemingly endless fodder for clever phishing attacks designed to separate legitimate organizations from their money and reputations, as well as their customers, clients, and partners.
Indeed, fake invoices, RFQs, POs, ACH documents, and remittance forms collectively constitute the “social engineering” backbone of innumerable phishing campaigns. And hapless employees keep falling for them, clicking through malicious links and opening malware-laden attachments — often with nary a thought to the potential consequences — bringing malicious actors and their sophisticated malware inside their employers’ networks.
Over the past few months we have observed the increasing use of yet another type of transaction-based social engineering scheme designed to hook companies dependent on government contracts: the invitation to bid. In what follows, we’ll take a look at a number of actual phishing emails reported to us by customers using the Phish Alert Button (PAB).
Continue reading at: SC Magazine