Timing is (almost) everything with phishing

Timing is (almost) everything with phishing

by Andrew
June 24, 2021

The best spear phishing attacks are timely. Which means they arrive in the inbox of the target exactly when it is relevant to the target.

Or even better when the target is most vulnerable to an attack.

Insider knowledge about their target is gold for a spear phisher (or player in MonkPhish). Especially information that their target is expecting something.

A spear phisher can deploy that knowledge with devastating effect.

For example, an attacker knows that a target gets an invoice from one of their suppliers on the last Thursday of the month around 4pm, they deploy their attack mimicking that invoice on Thursday at 2pm.

The target may just click through as expected – they expected this email in the afternoon.

Business email compromise is a cost and growing spear phishing threat for finance teams.

Another example (and this is a real-world example)m an attacker knew that a large multi-payment deal sale was being conducted between two parties. The attacker just emailed the payer with an email address that looked a lot like the sellers’ address and asked that they wire the next installment to a different account (the one under the attackers’ control).

In that case the attack was successful without “compromising” any systems or networks!

Attackers can also attempt to catch people at their most vulnerable moments – physically and psychologically.

If you get an email at 3 am that something awful has happened – will you be inclined to panic when you wake up several hours later – check your phone – and see some urgent message?

When you are especially bleary or mentally tired is when you should be extra cautious about checking your email!

If you get that urgent message, check it on your computer, not your phone – and look at the URL of the sender and the destination!

If you’re still unsure, call to check if something is going on – anything to make doubly sure you aren’t the next victim of a well-timed attack!

Of course, while playing MonkPhish you can use these timing tactics to snare your colleagues! Happy phishing!

If you need help improving your team’s cyber awareness, let’s find a time to catch up and see how we can help get every employee on your cyber team.

Related Stories

Photo by Javier Allegue Barros on Unsplash
March 31, 2022

A Complete Guide to The Social Engineering Attack Prevention

Social Engineering attacks are getting more complex and social media is getting more popular.

January 6, 2022

Know about cyber attacks before they happen

Insufficient security measures led to almost 57% of social engineering cyber attacks on businesses in 2021 - and they were more frequent and targeted too!

November 10, 2022

The Password You Need to Stay Safe Online

Are you using strong passwords? You should be! Find out how to create strong passwords that are difficult to crack, and how AI can help.