We’ve all gotten them. Phishing (via email, text or other communication medium) is one of the most common ways that hackers try to get to your data. According to the 2021 Verizon Data Breach Investigations Report (DBIR) (which I covered here), phishing was present in 36% of breaches (up from 25% the year before). This week, one of them almost got me.
It was an email from a colleague asking me to “please review the proposal documents attached in the link below and let me know if we can work on this project together.” While the email seemed like it was auto generated, it came from a colleague I know and even had my colleague’s email signature on it. So, I clicked on the link to an RFP number, which was probably my first mistake.
That’s when McAfee popped up with a warning that indicated that it was a deceptive site. So, I took a second look at the email and realized that it did look pretty phishy, er, fishy after all. So, I decided to confirm that my colleague actually sent the email, which I did by responding to the original email, which was definitely a mistake.
And believe it or not, I got a response! That response said: “Hi Doug,
Thanks for checking back with me. The attachment is from me, it is a project proposal for an upcoming project we’re working on. It is a secured document and I believe you’ll be required to login to review. Please let me know if we can work on this together.
But it had no email signature this time and certainly looked generic. So, I still wasn’t convinced that the request was legitimate. So, I reached out to my colleague again – this time via text (finally a smart decision!) and my colleague confirmed that this was indeed a phishing email.
I looked up “phishing RFP scams”, which pointed me to this link from the Better Business Bureau (BBB) describing a similar scam which apparently targets small businesses in particular (though I think it could work on businesses of any size). In the alert, they state: “The email may even have the company’s signature block with a real address and staff contact person” (which mine did).
The BBB alert has a few pointers for “How to Spot an RFP Scam”, which are useful. In addition, I have two additional recommendations:
- Never Respond to an Email if it Looks Fishy: That was a bonehead move on my part. If you have doubts about an email sent to you, reach out to the person via other means (e.g., phone call or text) to confirm that they sent it.
- Keep Your Virus Software Up to Date: Your virus software is there for a reason – to keep you protected. Hackers are always coming up with new ways to get at your data, so it’s important to ensure that your virus software is set to automatically apply new patches to address those newer threats. My virus software certainly saved me here.
So, what do you think? Have you ever received a phishing email that looked real? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.