New Phishing Campaign Uses ChatBot Functionality to Build Trust and Steal Credit Card Details

New Phishing CampaignRather than go for the phishing jugular and point the victim immediately to a webpage to steal credentials or personal details, a new phishing campaign uses a chatbot to lower victim defenses.

One of the risks a phishing scammer takes when they present a malicious link or attachment and expect the recipient victim to click on it is that the user has no connection with the email or the sender and may not engage with the malicious content.

But a new campaign identified by security researchers at TrustWave seeks to build a “relationship” of sorts between the victim and the scammer by first pointing the victim to a chatbot that the user interacts with, answers questions of, and establishes a comfort level with.

According to TrustWave, victims are sent an email about a package delivery problem and are given a link that takes them to a chatbox (shown below):










Source: TrustWave

The victim is asked a series of questions that help build credibility that the chatbot (and therefore the sender) are legitimate, and at a point when the victim “trusts” the chatbot, the scam kicks in and the victim is asked for their credit card details.












Source: TrustWave

This is a somewhat brilliant method of gaining the victim’s trust by having them interact with the scammer’s environment asking seemingly appropriate questions that further legitimize the initial email. This campaign demonstrates that phishing scammers are improving their game, finding ways to more easily trick users.

This is one of the reasons why Security Awareness Training is so important; the initial email (regardless of its content) is one of the key indicators that a scam is afoot. One of the things taught within this kind of training is “if you’re not expecting it, default to scrutiny over trust”. And, in the case of this shipping scam, a moment of pause and scrutiny would likely reduce the effectiveness of this new scam technique.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Topics: Phishing

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews