Beware of Fake Forwarded Phishes

email forward spear phishing attackThere are many specific, heightened challenges of spear phishing emails coming from compromised, trusted third parties. Trusted third-party phishing emails usually come from the legitimate sender’s email account, which is under control of a malicious hacker. The challenges of these types of spear phishing emails were discussed previously here.

But the risks from a compromised, trusted third-party account don’t always go away when the trusted third party gets cleaned up and the hacker is removed. In fact, the threats from a trusted third-party compromise can last for months to years. The related spear phishing attack called a ‘fake forwarded email’ is an example.

This particular type of phish arrives with subject line and message body text belonging to a previous, genuine conversation held between two legitimate parties. The message text is usually a partial or full conversation from a previously discussed thread, which often happened months to years ago. Even though this type of email usually arrives from a new, illegitimate email address, often times, the receiver’s innate familiarity with the conversation thread makes the receiver accidentally miss the new sender’s email address. It’s what the phisher is hoping for and the whole reason for this type of spear phishing attack.

These types of phishing emails will always include a new request for the receiver, to either visit a particular included URL link or open a file attachment. The message to the sender requesting action is usually something simple and short, such as “Here’s that document you requested” or “This link has the invoice you were asking about.” Many times, the action instruction has nothing to do with the included thread. I’ve often been surprised about how disjointed the request is with the original thread, but the phishers are apparently having some success with them or they wouldn’t keep using them.


All the normal anti-phishing defenses, including good and frequent security awareness training, apply. But it’s important to share these types of phishing attacks with everyone so they know about them. It’s also always important to check the sender’s email address, even if the email seems like part of a continuing thread. It’s one thing to educate and discuss and another to test if people really are looking at the sender’s FROM email address when they get sent a recognizable thread. So, test this scenario as part of your regular simulated phishing campaigns. Pick an organizational-wide email thread that got a lot of traffic and back and forth conversation with lots of participants within the company. Then send it from an external, nearly look-a-like email address and see who falls for it. Real spear “phishermen” seem to think it works.

This is also a great chance to see if your best anti-phishing “champions” who hardly ever get tricked by a real or simulated phishing test do as well on a simulated fake forwarded email. For your champions, pick a more focused email thread that they were personally involved in instead of a company-wide thread. You might have to enlist another recipient you know who frequently corresponds with them.

Fake forwarded emails are one of the most popular types of spear phishing. Don’t let a real one be the first time your users are tested.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews