Almost all online services have a security system that will provide alerts in the form of notifications when there is suspicious activity in the user's account.
For example, notifications when there is an attempt to change a user's password. Now, according to Kaspersky, this system is being misused as a phishing mode to steal user passwords.
The mode is by sending an email notification that seems to state that there is an attempt to change the password on the user's account. The attackers hope that their victims are worried about the security of their accounts.
Then the user who is the victim will be directed to click on a link to a site that imitates the account login page and contains a form to fill in with the victim's account name and password.
If it is a public online service attacker, they will usually make every effort to make an exact copy of the actual message. However, if an attacker is seeking access to an internal system, they often have to use their imaginations out of ignorance of what an email should look like.
The entire content of the message in this email looks disorganized, from the use of wrong language to the logic that seems dubious. This is demonstrated by linking a new phone number and simultaneously how to send a password reset code.
The hijacked email account can then be used for BEC (business email compromise) type attacks or as a source of information for further attacks using social engineering.
"In general, it's best to keep phishing emails out of employee inboxes as a whole. Ideally (plus all other unwanted correspondence, including messages with malicious attachments and BEC-related emails) should be intercepted at the email gateway level," explains Roman Dedenok, cybersecurity experts at Kaspersky, in a statement we received.
So how do you educate company employees so that this doesn't happen?
In order to minimize the possibility of cybercriminals obtaining employee credentials, Kaspersky advises companies to communicate the following:
Never click on links in automated security notifications, whether they appear real or not.
When receiving a notification, check the security settings and linked details, do this by manually opening the website in the browser.
Notifications with irregular words should be ignored and removed.
If the notification looks real, notify the security or service team concerned; it may be a sign of a targeted attack.