With much of the workforce conducting business from home to escape the pandemic, scammers have revved up their trickery to scare victims into falling for credential harvesting schemes. 

New twist detailed by Armorblox threatens to recycle inactive addresses unless the would-be victims immediately update and confirm their account details. This results in fearful recipients entering their legitimate email addresses and password information. Email phishing protection firm INKY, reveals the intricate directives of a credential harvesting phishing email. These emails impersonate the United States Department of Justice by using a malicious link with real logos mimicking government websites. Attackers also asked targets security-challenge questions to increase attack legitimacy and obtain even more personal information. 

This new packaging of credential harvesting attacks is increasingly prevalent today, Anand noted. This type of attack is being aimed at organizations of all sizes, but especially small and medium sized businesses (SMB) that may not have all their security processes in place yet.

Sophisticated attackers know that Secure Email Gateways, or SEGs, and other filters look for known scam-indicative patterns, according to Aggett. The smart attacker knows this. They hide this deceptive text from the SEG and does it in a way that does not look funny to the user. For example, an SEG may have a rule where it looks for the text "Office 365 Voicemail" because emails with this text have been reported as phishing. One deceptive text tactic is to replace letters in scam-indicative text with other Unicode characters that look similar. Bad actors lure users into responding by notifying them of a new document, voicemail, fax, or invoice. Another approach is the Help-desk phishes that tell users they need to confirm or update their account, or it will be disabled.

Dave Baggett (CEO and co-founder of INKY) recommends consumers and business IT do two things to catch or prevent these harvesting credential scams from working. First, put sophisticated software-based mail protection in place so the machines block the vast majority of these scams before delivery and users never interact with them.
Second, train users to be suspicious of email in general. While humans can't discern real emails from fake ones, it is still a good idea to use phishing awareness training to teach users not to trust their eyes when it comes to email. Above all, always verify any sensitive email through another, separate communication channel.