Inspired by this post, I just created a phishing test for my staff with a malicious URL in a “report this as spam” link, complete with a required training for those who click the link.
Our IT sent out a test once that was a fake “someone sent you this document on teams” link and I fell for it assuming it was another stupid microsoft workflow for sharing documents. The only reason I didn’t actually hit the log in part that would have got me reported was because I didn’t care enough about whatever it was that was supposedly sent to me.
I heard once that the reason that those phishing emails are (usually) pretty obvious is because the phisher doesn’t want to accidentally catch a more attentive and careful victim, spend time trying to wire money from them, only for the victim to realize that it’s a scam before following through, therefore wasting the phishers time. The type of person to fall for the Nigerian prince stuff is not common, but they exist and the odds of them paying out are much higher.
Depends on what the end goal is. Wire fraud? Sure. Typically a Business Email Compromise will try and compromise the account credentials to use it as a location to send other mass phishing attacks to their contacts, gain access to sensitive information the user had, or laterally move between systems and further compromise the organization. In that case, you would want the message to appear as legitimate as possible to gain access to the highest privileged accounts.
I’ve heard that too. But, super-realistic scams exist, so if that’s right it’s just splitting the difference between the two that’s a bad strategy.
It’s mass phishing versus spear phishing. I believe anyone would fall for a highly specific spear phishing campaign from dedicated individuals, but I don’t believe most people are important enough to be victims of it nor do most people need to really do it.
The cost of people to run the scams is also a big factor. If poor quality can actually be an asset, slave labour from Myanmar or similar is going to be very competitive. You can have a small center full of those unfortunate people for the price of one Western cracker to do spear phishing.
wow I hate this meme format
privacy policy
look inside
sells your data
