Phishing links in emails to company employees are often activated after the initial verification. But they can and should still be caught. Of course, you don’t get such a phishing email if you receive the letter about the registration bonus on 20Bet. Yet, sometimes such situations happen, and here is how you can determine it.
What Is a Delayed Phishing
Delayed phishing is an attempt to lure a victim to a malicious or fake site using the Post-Delivery Weaponized URL technique. It boils down to replacing the content of a site with malicious content after the email has been delivered to the victim. In other words, it receives an email with a link that leads nowhere or to a legitimate site that may have been compromised but doesn't yet contain malicious content. In this way, the email easily passes all filters. The algorithms find the URL in the text, scan the site, see no danger in it, and let the message through to the victim's mailbox.
After delivery, the attackers bring up a previously prepared phishing page or activate malicious content on a previously harmless site. Any trick can be found there, from a reproduced interface of a banking site to a browser exploit that tries to download malware to the victim.
How Do Attackers Work
To fool an algorithm, attackers use one of three methods:
When Does a Link Become Malicious?
More often than not, attackers make the assumption that their victim is sleeping at night. Therefore phishing emails are sent after midnight and become malicious a few hours later, closer to dawn. If you look at the statistics of anti-phishing programs, you will see a peak around 7-10 a.m. This is when users who have woken up are clicking on links sent overnight which have in fact already become malicious.
We shouldn't forget about targeted phishing. If attackers are targeting a particular victim, they can study their daily routine, find out when they read their mail and activate a malicious link by adjusting to their schedule.
How to Catch Delayed Phishing
We need to prevent a phishing link from reaching the user, the best thing to do would be to recheck emails that are already in the mailboxes. And in some cases, this is realistic. For instance, if your organization uses the Microsoft Exchange mail server.
If the sender's address ends in @gmail.com, you should be wary. A large company usually has its own email domain.
If you are addressed as "Dear Customer," there is a good chance that the letter is fake and you shouldn’t open it. Banks and other large organizations know what their customers' names are.
But even if you are addressed by name, never respond to a request to send your username, password, or other personal information.