There was an unsuccessful phishing attempt that security professional Jeffrey Ladish almost fell for. Jeffrey was house searching and was looking on Craigslist and Zillow for rental properties in San Francisco. She then reached out to a beautiful property to inquire about a tour. Despite Jeffrey's experience being a security professional, she didn't realize that this wasn't a scam until the third email.
She documented her experience to teach that the best phishing attacks can look very convincing. You normally hear the words of caution to look out for poor grammar and formatting to protect against phishing. There are cases like this example of how sophisticated the bad guys can get to pattern-match legitimacy.
Below is the screenshot of the listing Jeffrey noticed online:
And here was the initial email Jeffrey received:
At this point, she still did not realize that this was indeed a sophisticated phishing attack. It was then that she spotted the third and now suspicious email:
It is very clear that this was indeed a scam and that this hacker's backstory did not add up.
To prevent you and your organization from ever falling victim to an attack similar to this one, it's important to always spot for red flags. According to Jeffrey she stated, "The first red flag was “So we’ll keep our communication to email if that’s ok with you”. The second was the weirdness about Airbnb. Why would they want me to pay through Airbnb? The third was the excessive amount of pictures to convince me this was a real person. If they were in fact a real person, why were they trying so hard to convince me?". Always stay vigilant of the warning signs. Does it seem like you're trying to be convinced that they're real?
It's also important to implement new-school security awareness training for you and your end users. Through continual education, users can be taught be remain vigilant, especially in the face of any communications that could look very authentic.