Conversation Hijacking: A New Type of Phishing Attack
Reality Check
Most of us are aware of the threat of phishing emails—emails that impersonate legitimate businesses to trick the recipient into sending money or data, or into clicking a malicious link or attachment. In most cases, these fraudulent emails appear as new email threads, and that makes them relatively easy to identify. But phishing is an ever-evolving threat, and a new, more sophisticated tactic—called conversation hijacking—has emerged in recent years.
How Conversation Hijacking Works
As the name suggests, conversation hijacking involves sending a fraudulent email in the middle of a legitimate email thread. In most cases, the goal of the attack is to trick a business executive into sending money to a fraudulent bank account.
The attack typically starts after cybercriminals gain access to the email account of a vendor or business executive. After gaining access to a useful email account—for instance, someone responsible for sending invoices—the attacker can wait until an email thread involving a high value transaction takes place. Once that happens, they can reply to the thread with a request that the invoice needs to be paid to a new bank account that they control. Sophisticated attackers may even mimic the writing style of the account owner to make the email sound as legitimate as possible.
As you can guess, such attacks can be very effective, because the fraudulent email appears to be a natural part of the conversation and not a random request for money or data. As a result, these attacks are gaining momentum. According a research report by Barracuda Networks, conversation hijacking attacks grew by 270% in 2021.
What Can You Do?
So, how can you avoid becoming a victim of this kind of attack? Because conversation hijacking is a sophisticated form of phishing—in the same vein as Business Email Compromise (BEC) attacks—it is important to be as attuned as possible to sensitive requests that break protocol or just seem out of place.
So, if you receive an email that asks you to make a payment to a new account to which you have never sent money, or to send sensitive data that should not be shared, do not comply with the request. Instead, immediately call the sender using a phone number you have on record. Talking directly to the sender will reveal whether or not the request was legitimate.
On the flip side, it is also important that you secure your email account so that it cannot be used to run conversation hijacking scams. Set a long password (at least 12 characters in length) that you do not use anywhere else. Many accounts are compromised when users use the same password across multiple services. If one service does not store the password securely, it jeopardises all services that use that password.
Also, enable multifactor authentication if it is available for your email account. In most cases, enabling this feature will ensure that you receive a one-time code—either as a text message or through an app—that you need to enter after typing your password. This guarantees that your email account cannot be accessed with your password alone.
Conclusion
Although evolved attacks like conversation hijacking may seem intimidating, it only takes a few simple precautions to stay safe. Using common sense, verifying unexpected requests, and securing your email account can go a long way in preventing an attack and keeping your organisation safe.