In The Know: Trusted Third Parties Used as Phish Bait
Working with a third-party organization can be a great help, but what happens if that third party falls victim to a cybersecurity attack? Not only could your organization’s shared data be exposed, but you may become the target of a very unique phishing attack.
Once a scammer has access to a third party’s email account, they can use it to send phishing emails from a legitimate and familiar email address. Some cybercriminals take this attack a step further by forwarding or replying to real emails that were already in the third party’s inbox. Posing as the original sender, the bad guy sends a simple message such as “Here’s that document you needed.” and includes their own malicious link or attachment. Typically, the phishing email is completely unrelated to the original email but the attack can still be convincing because it appears to be part of a previous conversation.
Don’t be fooled! Here’s how to stay safe from third-party phishing attacks:
- Never click a link or download an attachment from an email that you weren’t expecting—even if it appears to be from someone you know.
- Read the prior conversation and compare it to the newest email. If you find that the information is unrelated or if the sender never mentioned a link or an attachment previously, this could be a phishing attack.
- If you’re unsure whether or not an email is legitimate, reach out to the sender by phone. One quick call could save your organization from a potential data breach.
Stop, Look, and Think. Don’t be fooled.
The KnowBe4 Security Team