How Donna was spear phished

They targeted Donna from Marketing. Donna doesn't report to Nick the CFO, so the scammers assumed she doesn't have Nick's phone number in her contact list. Also, they sent the text message over the weekend to make it feel more urgent and probably Donna wouldn't want to talk over the phone on a weekend.

To make this feel urgent, the scammers crafted a fake complaint letter from a key customer. They made it seem like Donna did something wrong and she needed to fix it ASAP.

The Scammers personalized the link with Nick's name and they made it feel like a secure drive, with the hopes that Donna will think it's legit.

 

Next, they tell Donna that Nick wants to talk to her on Monday in order to build credibility. If this was a scammer they wouldn't need to meet on Monday... all these small things build Trust.

 

Donna takes the bait and clicks on the phishing link, she logs into a Fake Google Login Page with her real user name and password.

 

And in order to close the loop so Donna doesn't realize she was hacked and reports this, they displayed a fake complaint letter. This gives the criminals enough time to take over the account.

 

How To Avoid This Type Of Attack

1) Don't Automatically trust anyone, even if you think you know them. Digital identities aren't the same as meeting someone in person.

2) Call and verify with your Admin, Company, or Person, the authenticity of the request.

3) Make sure you have MFA turned on. It’s better to use Authenticator Apps (Such as Google or Microsoft Authenticator) or even a hardware security key instead of Text based authentication.
 
4) Never share security codes with anyone - including automated systems that contact you out of the blue.
 
5) Share less! The more an attacker knows about you the easier it is to hack you.
 
6) Use Wizer Free Security Awareness to train your team