Security News > 2022 > January > Phishing attack spoofs US Department of Labor to steal account credentials

A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects.
A phishing email that appears to come from an official government entity is especially deceptive as it carries an air of authority.
A malicious campaign detected by Inky in the latter half of 2021 spoofed the U.S. Department of Labor as a way to harvest the account credentials of unsuspecting victims.
Claiming to come from a senior Department of Labor employee handling procurement, the emails invited the recipients to bid on "Ongoing government projects." A PDF attached to the email looked like an official DoL document with all the right visuals and branding.
Fourth, the attackers presented what seemed to be a real government website but then redirected victims to a phishing form where their credentials could be captured.
In an instance like this, you would not be asked to log in with your email or account credentials on a totally different network.
News URL
Related news
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- US indicts 8Base ransomware operators for Phobos encryption attacks (source)
- Critical PostgreSQL bug tied to zero-day attack on US Treasury (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Darktrace: 96% of Phishing Attacks in 2024 Exploited Trusted Domains Including SharePoint & Zoom Docs (source)
- Phishing attack hides JavaScript using invisible Unicode trick (source)
- FatalRAT Phishing Attacks Target APAC Industries Using Chinese Cloud Services (source)
- 2024 phishing trends tell us what to expect in 2025 (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- How New AI Agents Will Transform Credential Stuffing Attacks (source)