Member-only story
Yesterday, the HR Director of an international family business reached out to me directly via LinkedIn with a job offer and asked for a Zoom call to discuss the role.
Intrigued, I checked his profile and he had 500+ connections and he was active on LinkedIn. I responded and asked for the Job Description (JD) to see if I am a fit and he asked if I would like the JD sent via WhatsApp, email, or LinkedIn. I replied via WhatsApp and he subsequently sent me a Zip file.
After extracting the PDF files, I noticed that it had a .exe extension. I immediately recognized this as a (spear) phishing attack.
Scammers are getting more sophisticated:
- They used my LinkedIn profile to customize their attack.
- They spent time creating a deep cover avatar.
- They study, understand, and use the headhunting process to launch their attack.
- They were patient and allowed for me to ask for a file to be sent.
Two-phased phishing attacks take more time to execute but have a high probability of success. If I was not the ‘trust but verify’ type, I would have likely opened the “PDF” and compromised my computer or smartphone.
Cybersecurity awareness, knowledge, and the mindset of #TrustButVerify are the only ways…
