Phishers are using a new bait to lure in victims - other phishing attacks.
Researchers at Symantec Security Response said Tuesday that emails purportedly from the Anti-Scam Department of the British Secret Intelligence Service were "warning" users that they might be scam victims.
The phishing email asks recipients if they’re a party to a high-end business transaction, have been told they’re lottery winners, have overdue contract funds or promised large sums of money, researcher Eric Chien said on the Symantec Security Response weblog on Tuesday.
The email then asks recipients to reply with their legal names, countries of residence and contact details, offering free investigative services, according to Chien.
Chien told SCMagazine.com today that "this is the first anti-scam scam (Symantec Security Response has) seen," adding that its success will determine whether there are copycat scams.
"The premise is the same (as other phishing scams), and it’s just a change in social engineering - it’s social engineering on social engineering," he said. "I don’t think it’s something we would’ve predicted. There’s so much low-hanging fruit out there, and people are still getting duped in so many of the existing scams."
Ron O’Brien, senior security analyst at Boston-based Sophos, told SCMagazine.com today that phishers are taking advantage of users’ fear of scams.
"We have seen examples where a phishing email will say ‘For more information about phishing, click here,’ so it’s almost like they’re using the fear that your security may have been compromised to tease you into giving up information," he said. "The majority of users have learned by now not to click on attachments, because it might contain some sort of malware, but people are less aware that they’re not supposed to be clicking on URLs – and the likelihood that those contain malware increases every day."