You are the target of phishing scams because either you possess valuable information or you are a link in the chain leading to valuable information (especially in your business persona).
There has been a huge increase in the number of Business Email Compromise (BEC) attempts. This type of scam asks you to do things you do in a normal business day, unlike earlier scams which asked you to do out-of-the-ordinary things like accept millions of dollars wired from a foreign prince.
To trigger your habits, the bait used by attackers is to play on your fears, your desire to help, and your compliance to policy; for example:
- Someone posing as an executive or customer might demand that you fix a fake problem
- A fake partner might ask for your assistance in selling to a fake customer
- Someone posing as an IT administrator might demand that you reset your password by first entering your current password into a fake form
New tactics are attempting to put more realistic context around these fake demands, examples are:
- A fake executive is telling you a fake secret about a fake acquisition, and asks for real information
- A fake company leader references a commonly known issue, and asks you do to something to resolve it, something that sounds logical
- An even more subtle tactic is to build confidence over multiple emails before the attacker asks for your action (aka long game or long con). This building of confidence has a long history from military spy games to Bernie Madoff’s Ponzi Scheme.
The consequences of you taking the bait is that the attacker will steal money, steal information, steal your identity, hold your information hostage for a ransom, or unleash a virus; these days though, while a virus is bad, a virus might be the least damaging consequence of you being tricked by a phishing scam.