New attacks initially coming in via email are directing victims to make phone calls to attacker-controlled call centers in order to provide banking and credit card details.
I’ve brought these kind of phishing-turned-vishing attacks to your attention previously with examples of fake Amazon password resets or fake orders for expensive items – both pointing recipients to call phone numbers. But new examples of these kinds of increasingly frequent attacks are coming to light.
Rather than sending an email referencing an invoice attachment (usually for the purposes of installing malware), these scams simply use the email as the invoice or payment notice and drive readers towards calling a phone number to dispute the charge.
These scams are intent on getting recipients to divulge their credit card or banking details – all in the name of “getting you a refund”.
Once again, this very-much unsolicited email should raise a red flag with anyone that receives it, erring on the side of “this is utter garbage” instead of “Oh my! I don’t owe that!” (which is exactly what the scammers want.) Security Awareness Training is the means by which organizations teach users how to stay in that ever-vigilant mode when interacting with email and the web. By doing so, instead of taking everything at face value and believe it by default, users interact with unfamiliar content like this in a far-more scrutinizing manner and are less likely to become victims.