Phishing Campaign Impersonates Pfizer
A phishing campaign is impersonating Pfizer with phony request-for-quotation (RFQ) emails, according to Roger Kay at INKY. The email lures had fairly convincing PDF attachments that didn’t contain any malicious links or malware, and instead prompted the user to reach out to the scammer for more details.
“They both claimed that Pzifer was requesting quotes for various industrial engineering supplies, and both had PDF attachments that impersonated Pfizer,” Kay says. “The PDF was three pages long and had a few inconsistencies (e.g., different due dates on different pages), but, in general, looked pretty good. The discussion of payment methods and terms set the recipient up for the idea that they would have to share banking details at some point.”
Kay notes that the attackers used several measures to help the emails bypass security filters.
“In this particular attack combination, the black hats used both high and low tech to evade anti-phishing radar,” Kay writes. “The high tech involved newly created and freeware domains, set up to send phishing emails that would not trigger rudimentary email defences (i.e., DMARC analysis of DKIM and SPF records). The low tech was a simple PDF attachment with no poison links or malware in either the attachment or the email itself. These elements were designed expressly to not trigger anti-phishing analysis.”
Kay concludes that users should be suspicious of unsolicited emails like this, especially if they appear to come from major companies.
“Recipients should be aware that large enterprises like Pfizer do not typically send out cold emails to solicit bids for projects,” Kay says. “If a recipient is in a sales department and does business with Pfizer (or, in a similar situation, any other company), they should get in touch with their contact directly by telephone or an initiated email to determine whether the RFQ is legitimate. It is also highly unlikely that a Pfizer employee would use a freemail account for official business.”
New–school security awareness training can give your organization an essential layer of defense by enabling your employees to spot phishing emails that slip past your technical defenses.
Request A Demo: Security Awareness Training
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn’t a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4’s security awareness training and simulated phishing platform and see how easy it can be!
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/one-on-one-demo-partners?partnerid=001a000001lWEoJAAW