Have you ever had a conversation with someone and another person who wasn’t part of the conversation suddenly chimes in? Maybe it was while you were in line at a coffee shop or at your kid’s sports game. Maybe even your phone chimes in when you didn’t realize you activated your digital assistant (in our house, we call our voice-activated assistant “faceless woman” in everyday conversation to avoid having her accidentally butt into our conversations when she isn’t invited).
I was recently having a conversation with my husband downstairs as we were making plans for an upcoming trip. As we were writing what we thought were our final plans into our calendar, we heard one of the kids from upstairs chime in with a new idea to consider. It caught us a bit off guard, because we didn’t realize the kids were listening (they were supposed to be sleeping!). Since we want them to feel included in our plans, we ended up adjusting what we wrote down, but also had a chat with them about listening in on other people’s conversations (and going to sleep when its bedtime).
What happens when this same thing happens in an email conversation? I recently learned that a common phishing tactic, called ”conversation hijacking”, is rising in popularity with hackers.
Conversation hijacking is a type of phishing scam. Phishing scams are attempts by cybercriminals to trick users into performing an action like clicking a malicious link, entering credentials, opening an attachment or even making changes to a company’s process (like changing payroll information or account numbers).
This particular type of phishing attack is exactly what it sounds like; the scammers cut into an existing email conversation and try to trick victims to perform some type of action by pretending to be someone they can trust.
How do scammers insert themselves into the conversation?
Scammers join the conversation in typically one of two ways:
The first is leveraging one of the email accounts involved in the thread, which has been compromised. With this access, they simply reply to the thread and it looks just like one of the original senders.
They also may use a previously stolen email message and reply to it with a different email address or a spoofed version of a legitimate email address that mimics a contact that’s already included in the thread.
Both techniques have resulted in victims following through on scammers’ requests in the emails – it’s the use of an original email chain that gives users a false sense of security.
There’s no doubt about it – a conversation hijacking phishing scam can be tricky to spot. Your best defense is to remember your phishing scam training and stay vigilant and listen to the little voice inside your head telling you something isn’t right. Be particularly wary of:
- Urgent requests
- Responses to old email threads (especially ones that you thought were dead)
- Unexpected attachments (particularly .html and .zip files)
- A new voice in an old email thread
- A difference in the sender’s email address
Don’t respond to the email itself if you think there is anything suspicious with it. If you believe you need to take action based on something in the email, verify the request using a different communication method first, such as sending a text message or calling the supposed sender using a number that you already had. It’s better to be safe than sorry.
You can report potential phishing and any other suspicious personal emails to firstname.lastname@example.org. If it’s an email that was sent to your company email, follow your organization’s procedures for reporting it to your information security or IT team for investigation.
How to protect against phishing attacks
Conversation hijacking is a form of phishing scam. To protect you and your family from phishing in general and keep your personal information out of the hands of scammers, follow this guidance from my leader and Veeam CISO, Gil Vega:
- Do your homework. Search online for information about the supposed sender. You can even search for the exact email you received and see if others have already tagged it as a scam.
- Confirm requests using a second method of verification. Never email the sender back or reply to suspicious emails. Use a separate method of communication, like a phone number or email address from a recent bill, to contact the sender and confirm the request.
- Hover over links in the email and see if the hyperlink’s web address matches the company’s legitimate website domain. Type the web addresses into a browser if you think it’s a fake website, don’t click on the link itself.
- Look at the file name of any attachments. Do you need or were you expecting an attachment? Never open an attachment that you are not expecting or one that ends with an extension you may not recognize (i.e., filename.exe when it says it is a Word document).
- Use your own judgement. Employee awareness training starts with using common sense to help identify if an email is legitimate or if it may be phishy.
Whether your kids are eavesdropping on a conversation with your significant other or a stranger adds their opinion into a conversation you are having with a friend, a quick cyber chat about how this same phenomenon can also happen with your email and can help your loved ones be more aware of phishing scams and security while online.