Researchers at McAfee warn that attackers are increasingly utilizing PDF attachments in email phishing campaigns.
“Over the last four months, McAfee Labs has observed a rising trend in the utilization of PDF documents for conducting a succession of phishing campaigns,” the researchers write. “These PDFs were delivered as email attachments. Attackers favor using PDFs for phishing due to the file format’s widespread trustworthiness."
"PDFs, commonly seen as legitimate documents, provide a versatile platform for embedding malicious links, content, or exploits. By leveraging social engineering and exploiting the familiarity users have with PDF attachments, attackers increase the likelihood of successful phishing campaigns. Additionally, PDFs offer a means to bypass email filters that may focus on detecting threats in other file formats.”
Scammers are crafting PDFs that impersonate popular brands in order to deliver malware or trick victims into handing over sensitive information.
“Attackers employ a range of corporate themes in their social engineering tactics to entice victims into clicking on phishing links,” McAfee says. “Notable brands such as Amazon, Apple, Netflix, and PayPal, among others, are often mimicked. The PDFs are carefully crafted to induce a sense of urgency in the victim’s mind, utilizing phrases like ‘your account needs to be updated’ or ‘your ID has expired.’ These tactics aim to manipulate individuals into taking prompt action, contributing to the success of the phishing campaigns.”
The researchers offer the following advice to help users avoid falling for phishing attacks:
- “Be Skeptical: Exercise caution when receiving unsolicited emails, messages, or social media requests, especially those with urgent or alarming content."
- “Verify Sender Identity: Before clicking on any links or providing information, verify the legitimacy of the sender. Check email addresses, domain names, and contact details for any inconsistencies."
- “Avoid Clicking on Suspicious Links: Hover over links to preview the actual URL before clicking. Be wary of shortened URLs, and if in doubt, verify the link’s authenticity directly with the sender or through official channels."
- “Use Two-Factor Authentication (2FA): Enable 2FA whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a code sent to your mobile device.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
McAfee has the story.
Here's how it works:
