We are all familiar with traditional spam emails. You know the ones: poorly spelled messages urgently demanding you click a link to reset a password. Fortunately, most staff are now well-trained to spot and delete them.
However, this week at the Decision1 helpdesk, we reviewed an interesting phishing attempt targeting a Dunedin business that took a much more patient, conversational approach.
Building Trust First
The attack began with a standard, polite email from someone claiming to be a new client. They mentioned they had been referred by a friend and were seeking professional advice regarding an Inland Revenue (IRD) penalty letter.
What made this email notable was what it didn't contain. There were no malicious links or attachments. It was simply an introductory email ending with an offer: "If helpful, I can send through a copy of the IRD correspondence for your review."
The Malicious Follow-Up
This tactic relies entirely on human nature. Businesses are naturally eager to help prospective clients.
When the business replied, "Please can you send through the IRD correspondence," they unwittingly signaled that their guard was down. They were now expecting a file.
Shortly after, the sender replied with the requested "IRD correspondence" attached as a PDF. In reality, the PDF was a malicious file designed to compromise the user's computer. Because the staff member had actively requested the document, they were much more likely to open it without a second thought.
Adapting Your Security
As these conversational "long con" attacks become more common, organisations need to adapt their security training:
-
Maintain Caution with Attachments: Remind your team that even if they are expecting a file from a new contact, they should still remain vigilant before opening it.
-
Use the Phish-Finder Tool: If an email feels slightly off, don't guess. You can paste the text directly into our free tool at https://www.decision1.co.nz/tools to analyze it for urgent language and scam patterns instantly.
-
Review Email Filtering: Ensure your email security systems are configured to analyze behavioral patterns, not just scan for known bad links.
At Decision1, we help organisations implement modern email filtering and staff training to catch these evolving threats. If you'd like a review of your email security setup, we can help. Contact us today.