The hit and run phishing attack plays on an anxiety many of us share. Can you imagine the feeling of getting smacked with a notice from an insurance company about a mysterious hit and run incident involving your vehicle?
Well, these last few weeks many of our customers have collided with this new widespread hit and run phishing attack campaign careening around the internet.
The attacker sends an email pretending to be from a well-known insurance company. In the email the insurance company claims that the recipient's vehicle was involved in a hit and run car accident. The email claims there is video and photographic proof of the vehicle's involvement.
To get details of the incident, the victim is advised to contact the insurance company via the phone number provided in the email - this brings a vishing (voice phishing) aspect to the scam.Office hours have also been provided to create a more authentic feel to the message.
The context of the email is emotionally charged, urging the victim to clarify the matter with the insurance company ASAP... or else. The email closes with a threat of filing a report with legal authorities if no response is given, which heightens urgency and anxiety. A common social engineering technique is to provoke victims into hasty decisions with fictional consequences.
The victim might feel like they are accused of something they didn’t do, and must call the provided number to clear their name. Alternatively, the victim might be left confused and doubting their own memory, which leads to calling the number.
When the victim calls the number, the attacker answers and pretends to be from the well-known insurance company. These attackers are usually professionals and they know how to speak and act to make the victim trust them.
Once the victim is hooked, the attacker could:
The scam could happen so fast that it’s over before the victim even realizes what’s happened.
The attacker's goal is to make the victim panic and hence move fast. When we feel we are under pressure, we might not see the warning signs that would otherwise save us from hasty decisions with irreversible consequences. When spotting anything suspicious or overly emotionally provocative, take a deep breath and think.
If you haven’t been part of a car accident recently, you’re good!
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.