Attackers impersonate a trusted source by sending fraudulent emails that trick employees into clicking malicious links or attachments, thereby stealing credentials or installing malware. For example, a Lithuanian hacker created a fake company and impersonated a supplier, sending forged invoices to finance staff at Google and Facebook.
Between 2013 and 2015, he successfully tricked them into transferring more than USD 100 million to fraudulent accounts. Another case occurred in 2022, when attackers disguised themselves as the U.S. Department of Labor and sent fake bid invitation emails. The emails used the Department’s logo and realistic domain names to bypass filters. A PDF attachment contained a “Bid Now” button that redirected victims to a spoofed website resembling the official portal, prompting them to enter their Office 365 credentials.
The site even displayed a fake “error” message to force victims to re-enter their details twice, ensuring the attackers obtained valid passwords. These sophisticated phishing emails are difficult to distinguish from legitimate ones, and once login information is entered, it falls directly into the attackers’ hands.
Smishing (SMS Phishing):
Phishing attempts sent via SMS are also common. For example, in 2020, the Texas Attorney General warned about fake delivery company text messages claiming that packages could not be delivered and urging recipients to click a link to check. Once victims clicked, they were asked to provide personal details and credit card numbers, leading to financial theft. Note: Legitimate delivery companies will never ask for such information through SMS. Never click suspicious links or reply with sensitive information.
