We have become aware of a sophisticated phishing campaign, targeting email users by deploying custom login pages that mimic your organisation. This deceptive tactic aims to harvest user credentials, potentially leading to unauthorised access to personal and professional accounts.
Details of the Campaign
Attackers initiate this phishing scheme by sending emails containing links embedded with encoded recipient email addresses. When clicked, the malicious server pulls information from your email address and retrieves branding elements from the associated domain (your website), such as logos and website screenshots relevant to the recipients. This allows the creation of a fraudulent login page that resembles a legitimate site, making it appear authentic. If login attempts fail, victims are eventually redirected to legitimate websites like Gmail or DocuSign, reinforcing the illusion of authenticity and reducing suspicion.
This tactic presents a serious risk to businesses, as attackers can effortlessly mimic company branding without prior preparation, enabling them to target a wide range of organisations indiscriminately. By dynamically customising phishing pages based on the recipient’s email domain, cybercriminals increase the likelihood of credential theft, as victims are more likely to trust familiar-looking interfaces.
Mock-up of how the phishing campaign would look for us
Recommendations for Users:
- Unexpected and Unsolicited Emails should be treated with caution: especially those prompting immediate action or containing unfamiliar links. Verify the sender's authenticity before engaging with the content.
- Examine URLs Carefully: hover your mouse over the link to see the URL for the link. After clicking a link but before entering credentials, inspect the website's URL again for discrepancies or unusual characters that may indicate a fraudulent site.
- HTTPS Encryption:make sure that the URL starts with ‘https://’ and not ‘http://’.
- Enable Multi-Factor Authentication (MFA): MFA adds an additional layer of security and is recommended to protect email applications and other systems at risk from malicious internet-originating traffic. Using an authenticator app is recommended.
- Confirm the Email’s Legitimacy: if an unexpected email seems particularly important and it asks you to log in, consider telephoning the purported business, organisation, or your IT service provider using a genuine telephone number.
Additional Recommendations for Organisations
- Use DMARC, SPF, and DKIM: set up these email authentication protocols within your organisation to minimise the chances of email spoofing and enhance security.
- Educate Users on Phishing Tactics: conduct regular security awareness training for employees and users to help them recognise phishing attempts, especially those using brand impersonation tactics.
- Report Suspicious Emails: forward any suspicious emails to the Suspicious Email Reporting Service (SERS) at SERS@ocsia.im. Your reports assist in identifying and mitigating widespread phishing threats.
For general guidance on identifying and handling phishing attempts, please visit our A Brief Guide to Phishing page.