As you can see in the subject line and the first line of text, they mention a password that had been publicly breached and associated with one of my email addresses (yes, in middle school, before I got into cybersecurity, my go-to password was Alburnett1). There is not much you can do to avoid large-scale public breaches, but using MFA and limiting password reuse can help ensure your accounts are protected. In this attack, the threat actor finds all passwords associated with a publicly breached email address, then auto-populates the subject line and first line of the body, then send. Although Gmail sent the message straight to spam, different mail services may have different filtering rules.
Email and telephone attacks use social engineering to manipulate users. Unassuming users are made to feel shameful, helpless, and frantic. Resisting these automatic reactions could help you respond more appropriately. The best way to protect yourself is to remain calm and vigilant any time you correspond with someone you don’t know. Pay attention for telltale factors like suspicious sender addresses, threatening tones, and auto-generated warnings.
These predators seek out well-meaning individuals who lack internet literacy or are otherwise vulnerable. If you ever feel like a stranger is asking too much of you, proceed with caution, maybe consult a friend. Perpetrators that ask you to keep their actions secret should not be trusted. If they request your secrecy, excessive urgency, or blind compliance, end the conversation immediately and report the offender through the proper channels. Safe and reputable organizations are aware of these schemes, and they should have no issue with your verification checks, like searching for the verified phone number online or researching the scenario they have presented to you. Never feel guilty for asking questions or ending a conversation with a stranger that makes you uncomfortable.
The victims of these vicious attacks shouldn't feel like they are at fault, but informing or creating boundaries for vulnerable people could help prevent major loss. If you’d like to discuss social engineering testing and preparedness, click here or call 844-95-SECUR to connect with one of ProCircular’s experts!