Security News

A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects. A phishing email that appears to come from an official government entity is especially deceptive as it carries an air of authority.

A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids to steal Office 365 credentials. The phishing campaign has been ongoing for at least a couple of months and utilizes over ten different phishing sites impersonating the government agency.

For the final quarter of 2021, DHL surpassed Microsoft as the brand most spoofed in phishing campaigns, says Check Point Research. For the final quarter of 2021, DHL took over the top spot from Microsoft as the most impersonated brand by cybercriminals using phishing tactics.

The Monetary Authority of Singapore says it is considering supervisory action against Southeast Asia's second largest bank, Oversea-Chinese Banking Corporation, which was criticised for its incident response to a widespread phishing scheme across the island nation. "Monetary Authority Singapore takes a serious view of the recent phishing scams involving OCBC Bank. They have significantly impacted several customers. OCBC has acknowledged that its incident response and customer service should have been better. MAS has been following up with the bank on these and broader issues relating to the incident," said MAS deputy managing director Ms Ho Hern Shin in a statement to The Register.

DHL was the most imitated brand in phishing campaigns throughout Q4 2021, pushing Microsoft to second place, and Google to fourth. Phishing campaigns impersonating the brand have good chances of reaching people who are waiting for a DHL package to arrive during the holiday season.

So how can organizations overcome the sudden increase in security threats and regain the upper hand against bad actors with fewer resources than ever before? Increasingly, it looks like zero-trust will become the ideal approach for doing more with less, because ultimately, it's the users and their cyber-hygiene that's the first line in phishing defense. As anyone, no matter how technically savvy, is at risk of falling victim to phishing attacks, it's vital that organizations rethink their approach to security as a whole to combat these threats.

A new study at unprecedented scale revealed that embedded phishing training in simulations run by organizations doesn't work well. Those simulations pretend to be real phishing email landing in the employees' mailboxes, without any malicious payload. They show a realistic phishing page and collect statistics about who clicked with or without providing credentials, how many users reported it to the security staff, etc.

Electronic Arts has published an official response to numerous reports about hacked player accounts, confirming the problem and attributing it to phishing actors. As the notice explains, hackers used social engineering against EA's customer experience team to bypass two-factor authentication and take over 50 player accounts.

According to a Department of Justice press release, 29-year-old Fillippo Bernardini allegedly impersonated agents, editors, and others involved in the publishing industry to steal manuscripts of unpublished books. "Filippo Bernardini allegedly impersonated publishing industry individuals in order to have authors, including a Pulitzer prize winner, send him prepublication manuscripts for his own benefit," said U.S. Attorney Damian Williams.

Attackers are taking advantage of the comment feature in Google Docs to send people emails with malicious links, says Avanan. A new report released Thursday by email security provider Avanan looks at a new phishing campaign that abuses a popular feature in Google Docs to deploy malicious emails.