“Customer complaint” email scam preys on your fear of getting into trouble at work

Researchers at Sophos are reporting an increase in targeted phishing scams which prey on workers fears around the escalation of customer complaints. In the UK, it’s been reported that customer complaints, are on the rise due to coronavirus-related frustrations and criminal are jumping on this trend to target employees.

The goal of these cybercriminals is to make you feel guilty, and to convince you that through inaction on your part, you have caused serious inconvenience not only to the company as a whole, but also to someone more important than you in the organisation. The emails observed by researchers are designed to look as if they are from inside the same organisation but referencing a fictitious complaint.

They request an employee to click on a link to download details of the complaint. If you download the file, it turns out not to be a PDF, but it isn’t the usual sort of well-known suspicious substitute that the criminals often use, such as a VBS file (Visual Basic Script) or a JS file (JavaScript) file, but a Microsoft App Bundle. Windows users may not be familiar with them yet, especially if they’ve never had reason to download work apps from the Microsoft Store.

These types of campaigns are targeting junior employees who are under time pressure and commonly deal with customer support issues.

Technically, this is a targeted attack, known in the jargon as spear-phishing, because it does its best to greet you by name and to pretend to come from a manager in your company.

That makes it much more believable that an impersonal “Dear Colleague” or just a plain old “Hello”.

Yet this sort of targeting is technically trivial to do for anyone who has ever received (or acquired a copy of) an email sent by you at any time in the past.

And, let’s be perfectly honest, if you’ve ever worked in support, you’ll rarely ever have “reported yourself to management” when a caller shouted at you and complained, unless the call was so aggressive or threatening that you wanted to ensure it was placed on the record for your own safety.

You just assume that the complaints that they threatened to send won’t materialise, although you also know that sometimes they do.

In other words, receiving an email from a “colleague” whom you don’t know, and who doesn’t know you, but who seems to have been dragged into a customer “dispute” that you weren’t even aware of yet…

Security Awareness Training is the means by which organizations teach users how to stay in that ever-vigilant mode when interacting with email and the web. By doing so, instead of taking everything at face value and believe it by default, users interact with unfamiliar content like this in a far-more scrutinizing manner and are less likely to become victims.

With thanks to the Cyber Defence Alliance and Sophos. The full story is here:https://nakedsecurity.sophos.com/2021/11/05/customer-complaint-email-scam-preys-on-your-fear-of-getting-into-trouble-at-work/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+nakedsecurity+%28Naked+Security+-+Sophos%29

Free Phish Alert Button

Do your users know what to do when they receive a phishing email? KnowBe4’s Phish Alert Button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user’s inbox to prevent future exposure. All with just one click! Phish Alert benefits: 

Here’s how it works:

• Reinforces your organization’s security culture
• Users can report suspicious emails with just one click
• Incident Response gets early phishing alerts from users, creating a network of “sensors”
• Email is deleted from the user’s inbox to prevent future exposure
• Easy deployment via MSI file for Outlook, G Suite deployment for Gmail (Chrome)

PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/free-phish-alert-partner?partnerid=001a000001lWEoJAAW