Go With Your Gut – Preventing a Calculated RFP Phishing Attack

How can good instincts and cybersecurity education prevent calculated phishing attacks?

As somebody who has spent a good chunk of their career working with cybersecurity professionals, two of the most common topics I end up writing about are phishing attacks and end user education.

These two topics are widely discussed in the cybersecurity space for the simple fact they are two of the top reasons cyber attacks and breaches continue to happen. Even the best technology and software can’t prevent an end user from clicking malicious links or downloading malware.

And while it is easy to roll our eyes about end users and laugh about the Nigerian Prince scam (he is still stranded!), there needs to be increased acceptance that phishing campaigns are growing in complexity and structure… something this author experienced first-hand this past week.

This article will provide an overview of the calculated phishing campaign I recently encountered, how the campaign worked, what made the campaign realistic and why your best defense can be your end users’ gut instincts.

Step 1 – Form Inquiry

Earlier this week, our marketing team received the following inquiry from the contact form on our website. While we get the occasional spam inquiry, they are few and far between due to our enhanced form verification measures.

“We’ve recently had a request for an enterprise risk management service provider, and we stumbled upon your company, we would love to have a call on teams (preferably this week) to get more specific details about your products and services and hopefully, we could have future work together.”

After reviewing the form inquiry, we took a few additional steps to verify the company was legitimate due to the international location and IP address, all of which checked out online. While most of our consulting work is national, we  have international clients and receive inquiries from abroad on a regular basis.

Step 2 – Outreach and Request for Proposal (RFP)

Following the initial check, we reached out to the email the person provided on their inquiry and shortly after received what read like a standard follow-up.

“It’s great to hear back from you, we appreciate you getting in contact as soon as you can. You can use this email address as the point of contact for this project, I’ll attach the RFP and the requirements below for you and the technical team to have a better understanding of what is required and what are the compliances of such a project in this region.”

As a professional services firm, our team fields countless RFPs, and for better or worse, receiving RFPs as email attachments is still common for some industries.

But, as somebody who has worked in the cybersecurity space, I also know that threat actors use ZIP files to distribute malware on a regular basis – and our IT team did confirm that the RFP file was in fact malicious in nature.

This incident is an example of how sophisticated phishing campaigns are becoming: more focused, streamlined and intelligent. Key details that made this campaign so convincing:

• The initial inquiry made it past spam and bot filters.
• The inquiry cited a very specific service and industry need with the appropriate language and asks.
• The threat actor responded intelligently to our response with the standard mobile email signature (sent from iPhone).
• The response included the appropriate language and documents that a professional services firm would expect, namely an RFP including technical specifications.
• There was no immediate urgency, in fact, the campaign used our inherent sense of urgency to field a lead to drive our responses.

Additionally, this campaign avoided nearly all the phishing attack tropes:

• Distorted logos or signatures
• Unconventional email addresses or domain names
• Grammar errors or misspelled words
• Unusual content or requests

Candidly, this inquiry and follow-up were as realistic as legitimate leads our firm receives. Whether this campaign utilized the ever-increasing AI capabilities or bots, the threat actors put together one of the most realistic phishing campaigns I have experienced.

Situations like this are why end user education and training can be so important in keeping your organization secure.

It wasn’t technology or software that prevented me from opening this ZIP file, it was my understanding that you never download an attachment, click on a link or send information unless you are 100% sure of who or what you are dealing with – even if the request is something as commonplace as an RFP in your industry or business.

So, keep your guard up and educate your end users on what to do when they encounter a potential phishing attack – because your organization is only one click away from potential disaster.

About Schneider Downs Cybersecurity

The Schneider Downs Cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.

Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, at www.schneiderdowns.com/subscribe.

To learn more, visit our dedicated Cybersecurity page.