Whatsapp logo

Beware new phishing scam variant

Businesses beware! Cyber criminals are upping their game with an horrific new phishing scam - just in time for Halloween. Our customers have reported receiving what they believed were suspicious (spooky?) looking emails. Although these emails were not being flagged up by the default spam filters in Microsoft 365, it didn’t take us long to oust them as malicious attempts.

The attack starts with a phishing email sent by the attacker while posing as a company leader. Impersonating that individual and exploiting their authority, they attempt to get you to give up your personal mobile number. This is targeted approach, using information gained from social networks to identify leaders and their subordinates; hoping to find a vulnerable keen to make a good impression. Once you do, they use WhatsApp to bombard them with aggressive messages in the hopes of fooling them into making false purchases.

Most businesses and establishments now offer some level of security awareness training to their employees/students etc. Here’s where that silly two-minute cartoon video on phishing that you’re forced to sit through once a year finally pays off. Phishing remains the number one method used to gain entry into a network and fortunately, there are many tell-tale signs of a phishing email. Based on an actual email received in these attacks, we have identified 4 of the typical indicators that should be sounding an alarm when you see them in your inbox:

  • - A suspicious sending address
  • - A sense of urgency
  • - A change in writing style
  • - A forceful tone

Everything about this email is designed to make you act quickly, from seeing the falsified name in the “From” field to the urgency created in the title, the short sentences and the bullish tone. The attacker is hoping that you act before you have the time to  properly process what is in front of you.

It works in a similar way to those passages that you can read perfectly despite the letters being all jumbled up, and to the bionic text in the paragraph above – which helps you skim read text much faster than you normally would, by simply highlighting the first few letters of key words.

Responding to the above email with your mobile number gives the attacker another way to attempt to socially engineering you into doing something for them, and this time it’s personal.

WhatsApp is being used increasingly in the workplace, but it is still a social media platform that people identify with as being personal. Once the attacker has your mobile number, they will attempt to contact you via WhatsApp masquerading as the same business leader from the email (in our case it is “John Franks”). This is a simple yet extremely clever and calculated tactic for a few reasons. You are less likely to have the same level of security on a personal device than you would on a company-owned device and making a request in a personal app, on a personal device, makes you believe that the request is in fact, personal - and not a run-of-the-mill business task.

Much like the email example above, the WhatsApp messages will follow the same forceful style with many of the same techniques deployed, although this time the messages may seem more aggressive with an even higher sense of urgency.

Although the attack may seem very simple and easy to intercept, the methodology used in the attack chain uses psychology to socially engineer an individual. It preys on a human desire to be helpful and to be liked. Look at that example phishing email again; you’ll see there is no malicious software attached to it, no user accounts have been hacked, no email addresses have been spoofed, there are no requests to give up your login details and there are no malicious links embedded in the email. The sending address is likely to be newly created with a neutral rating and it’s unlikely that any organisation would blacklist the entire Gmail domain. In short, there is nothing in the attacks that would be picked up by traditional security software solutions.

People are the only line of defence against an attack of this nature.

Remember to look out for these key signs of a phishing attempt:

  • - Urgency
  • - Errors or changes in writing style
  • - Unusual requests
  • - Unfamiliar email addresses, sites or links
  • - Something too good to be true
  • - Something that plays on your emotions (sadness, anger, empathy etc.)
  • - A call to action

Default spam filters doesn't seem to be enough to protect you anymore. If your budget allows it, we urge businesses to consider more advanced email protection. User awareness training is no longer a nice-to-have but is now an absolute must-have for any business.

Get in touch with us today if you'd like to know more about this and other scams, and how you can protect your business from an ever-changing threat landscape.

Oh and remember, when it comes to suspicious emails - if in doubt, report it!


Jason Abrahamse

Jason is ITbuilder's security expert and leads our information security project team. He provides consultancy and support on matters relating to cyber-resilience and data protection.

Something of an industry veteran, Jason has held various roles in the industry and combines that expertise to consult with customers on security best practices.

Jason is a native of South Africa, but is now a fully naturalised Brit except for not being accustomed to the cold. He lives locally in Hertfordshire.

More articles from

Back to Blog