Latest Phishing Tactics Show Attackers Keep ‘Pushing The Envelope:’ Inky CEO

Phishing attacks continue to get more sophisticated—and sneakier, says Dave Baggett, co-founder of the email security vendor.

Recently observed phishing email tactics show how threat actors are continuing to find sneaky new ways to make their attacks successful, according to Dave Baggett, co-founder and CEO of email security vendor Inky.

As one of the more troubling examples, attackers have recently been seen breaking into a person’s email account and begin impersonating the individual midway through an email conversation with an unsuspecting other party, Baggett said Sunday during a session at the XChange March 2024 conference.

The tactic, known as “conversation hijacking,” is just one of many that demonstrate how attackers are “always pushing the envelope” in terms of phishing tactics, he said.

[Related: Inky CEO Dave Baggett On Catching QR Code Phishing — Before Other Email Security Tools]

Of the latest email phishing tactics, however, conversation hijacking is “probably the scariest one,” Baggett said during the session at XChange, which is hosted by CRN parent The Channel Company and being held this week in Orlando, Fla.

As part of the tactic, an attacker who gains access to someone’s account will essentially “camp out and read the person’s mail for a while” until they spot one that seems worth interjecting themselves into, he said.

The most common situations observed so far for this tactic are real estate transactions, according to Baggett. Once the time comes to wire the money for the house, the attacker will enter the conversation—impersonating the real estate agent—and tell the client that the wiring instructions were wrong and the payment needs to be sent to a different account, which belongs to the attacker.

“That by itself is a really scary setup,” Baggett said. “The mail is coming from the person's real account.”

Wade Kilgore, CTO of Plano, Texas-based Axxys Technologies, said there’s no question that phishing tactics continue to prove a massive challenge for MSPs and the organizations they’re working to protect.

“The cat-and-mouse game is always evolving with the attackers,” Kilgore said.

In addition to doing all that can be done to stop these tactics using technology, MSPs must keep working to ensure their customers are educated about how phishing tactics are changing, he said.

“As the attackers get better, we have to continue to improve and continue to teach our client community,” Kilgore said.

On the technology side, College Park, Md.-based Inky has concluded that the latest phishing tactics highlight the ways that prior email security approaches fall short, Baggett said.

“You can't solve the phishing problem just by looking at the content of the mail for patterns. You can't just look for bad grammar. You can't just look for scammy patterns,” he said.

Doing that continues to be useful, of course, Baggett said, as that approach remains the “workhorse” for blocking most of the malicious email.

However, “that doesn't work for these more elaborate techniques,” he said. “For things like this, you have to develop a model or a countermeasure that's dedicated to this specific kind of tactic.”