Rather than go for the phishing jugular and point the victim immediately to a webpage to steal credentials or personal details, a new phishing campaign uses a chatbot to lower victim defenses.
One of the risks a phishing scammer takes when they present a malicious link or attachment and expect the recipient victim to click on it is that the user has no connection with the email or the sender and may not engage with the malicious content.
But a new campaign identified by security researchers at TrustWave seeks to build a “relationship” of sorts between the victim and the scammer by first pointing the victim to a chatbot that the user interacts with, answers questions of, and establishes a comfort level with.
According to TrustWave, victims are sent an email about a package delivery problem and are given a link that takes them to a chatbox (shown below):
Source: TrustWave
The victim is asked a series of questions that help build credibility that the chatbot (and therefore the sender) are legitimate, and at a point when the victim “trusts” the chatbot, the scam kicks in and the victim is asked for their credit card details.
Source: TrustWave
This is a somewhat brilliant method of gaining the victim’s trust by having them interact with the scammer’s environment asking seemingly appropriate questions that further legitimize the initial email. This campaign demonstrates that phishing scammers are improving their game, finding ways to more easily trick users.
This is one of the reasons why Security Awareness Training is so important; the initial email (regardless of its content) is one of the key indicators that a scam is afoot. One of the things taught within this kind of training is “if you’re not expecting it, default to scrutiny over trust”. And, in the case of this shipping scam, a moment of pause and scrutiny would likely reduce the effectiveness of this new scam technique.