Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    A Can of Phishbait: from Surveys to Rule Changes to Your Boss's Boss

    A Can of PhishBaitEmployees need to continue being wary of phishing scams as they begin to return to the office, according to Roger Kay at INKY. Kay describes several phishing templates that INKY has intercepted in recent months, including one that informed recipients that they needed to fill out a compliance form related to COVID-19 risks.

    “Reasonably well written, this email, apparently from the human resources department at the target company, actually came from phishers located in the United Kingdom,” Kay writes. “There are elements that might strike the recipient as strange. For example, the phrase ‘recuperating favorably’ is a bit off. Noncompliance is spelled ‘non-compliance.’ And ‘these guide and policies’ has an agreement-of-number problem. But otherwise, it’s a pretty good fake, including the legitimate SharePoint link embedded in the email. The problem with the link was that it led to a real but hijacked SharePoint site that was turned into a credential harvesting operation.”

    Another phishing email purported to be sent from a company’s HR department asking all employees to take a survey regarding their interest in receiving a COVID-19 vaccine. The email contained a link to “survymonky/r/HPG23P”(spoofing the entirely legitimate and very familiar surveymonkey.com).

    Kay also describes an email that appeared to come from the company’s CEO and abused an open redirect link to fool the target into thinking the link was benign.

    “[E]mbedded within it was a link that used Google's open redirect capability to send those who clicked through to a malware injection site or a credential harvesting operation,” he writes. “The cybercriminal was able to exploit a weakness that some legitimate websites like Google use that allows users to input parameters in a link that redirects to other sites. What the user sees is ‘google.com’ followed by a long URL path. Even if the recipient were to scrutinize the URL, all they'd see was a good-looking Google redirect.”

    New-school security awareness training can enable your employees to recognize phishing scams and other forms of social engineering.

    INKY has the story.

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Social Engineering, Phishing, COVID-19

    Stu Sjouwerman

    ABOUT STU SJOUWERMAN

    Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world’s most popular integrated security awareness training and simulated phishing platform, with over 54,000 organization customers and more than 50 million users. A serial entrepreneur and data security expert with 30 years in the IT industry, Stu was the co-founder of Inc. 500 company Sunbelt Software, a multiple award-winning anti-malware software company that was acquired in 2010.

    Read more from Stu »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews