Please fill in the form below to subscribe to our blog

Conversation Hijacking Phishing Attacks Are a Stealthy Menace

May 20, 2024
Yellow notification message icon symbol or new chat social internet communication contact sign and illustration bubble information on flat design background with simple media element. 3D rendering.

Conversation hijacking stands out among other phishing attacks as a particularly insidious phishing technique. This scheme is used in email conversations to foster a false sense of trust in victims. Bad actors then manipulate victims into disclosing sensitive information or transferring funds. As this tactic gains traction among cybercriminals, understanding its mechanisms, potential impacts and prevention strategies become crucial for individuals and organizations alike.

What challenges will IT pros face in the second half of 2024? Find out in the Mid-Year Cyber Risk Report. GET IT>>

Conversation hijacking occurs when a cyber attacker infiltrates a legitimate email thread between two or more parties. By gaining access to an email account (often through earlier phishing attempts or data breaches), the attacker can insert themselves into ongoing conversations in a seemingly natural manner. This method leverages the established trust and rapport between the original parties, making the deceptive emails much more convincing than traditional phishing attempts.

Unfortunately, conversation hijacking can be a gateway to a much more expensive cyberattack: Business email compromise. In the United States, the U.S. Federal Bureau of Investigation (FBI) tracks reported phishing and BEC complaints yearly. The FBI’s Internet Crime Complaint Center (IC3) 2023 Internet Crime Report shows that phishing and spoofing, cyberattacks they lump together, accounted for 298,878 reported complaints in 2023. BEC is counted separately. U.S. businesses have been steadily losing more money to BEC every year. IC3 says that there were more than $2.9 trillion in reported losses in 2023 due to BEC, up from $2.7 trillion in 2022 and $2.4 trillion in 2021.

dark web threats represented by a hacker in a hoodie shrouded in shadows with faint binary code

Get Vonahi’s exclusive report on the top findings of thousands of penetration tests. GET THE REPORT>>

Conversation hijacking phishing is insidious and can be fiendishly difficult to detect. After all, who expects that someone they talk to regularly is actually a cybercriminal in disguise? The process of mounting a conversation hijacking attack typically unfolds in several stages:

  • Infiltration: The attacker first needs access to one of the participant’s email accounts. This can be achieved through various means, such as spear phishing, where specific individuals are targeted with crafted emails designed to steal credentials.
  • Surveillance: Once access is gained, the attacker silently monitors communication to understand the context and relationships between parties. This phase can last from a few days to several months, allowing the attacker to gather ample information to execute their scam convincingly.
  • Execution: The attacker waits for an opportune moment to intervene in the conversation. This could be during discussions of payments, sensitive data transfer or any scenario where they can credibly request action involving confidential information or money.

What should you be looking for in an EDR solution? This checklist helps you make a smart choice! GET IT>>

Conversation hijacking cyberattacks are a cause for concern due to the stealthy nature of the scam and the significant impact it can have. Here are eight real-world scenario examples of how someone might encounter a conversation hijacking phishing attack.  

  1. Vendor email compromise: A common scenario involves attackers gaining access to the email account of a vendor or supplier. They monitor the communication and wait for an opportune moment, such as an upcoming payment. The attacker then sends a fraudulent invoice from the compromised email account, directing the payment to a bank account they control.
  2. Executive email compromise: In this scenario, an attacker hijacks the email account of a high-level executive within a company. Using access to this account, the attacker sends requests for wire transfers or sensitive data to employees who handle finances or confidential information, exploiting the authority of the executive position.
  3. Real estate closing scams: Cybercriminals target real estate transactions due to the large sums involved. They may hijack the email communications between a buyer, real estate agent, and/or lawyer. As the closing date approaches, the attacker sends new instructions to wire the closing funds to a different account, which belongs to the attacker.
  4. Accountant email hijacks: Attackers may compromise the email account of an accountant or someone in the financial department. During the fiscal end-of-year or tax payment periods, they issue unauthorized requests for fund transfers or tax document submissions, directing financial flows to their accounts.
  5. Legal advisor impersonation: In this case, hackers take control of the email account of a legal advisor or attorney. They then insert themselves into email threads discussing confidential settlements or litigation matters, directing clients to make payments to fraudulent accounts.
  6. Healthcare provider scams: Cybercriminals target healthcare providers by hijacking email accounts of staff or vendors. They can manipulate conversations to order pharmaceuticals or medical equipment, directing the payments or deliveries to locations they control, often with fake invoices.
  7. Research grant fraud: Universities and research institutions are also targets. Attackers compromise the email accounts of researchers or administrative staff and intervene in communications related to grant funding or project financing, directing funds to their accounts.
  8. Travel and expense reimbursements: By gaining access to emails related to employee travel, attackers can request reimbursements for fake travel expenses or changes in travel plans, providing payment details that lead to the attacker’s accounts.

Datto EDR’s Ransomware Rollback rolls data and systems back to their pre-attack state in minutes SEE HOW IT WORKS>>

Due to the sophisticated and targeted nature of conversation hijacking phishing attacks, companies must implement robust cybersecurity measures and comprehensive cybersecurity awareness training to educate employees about the evolving tactics used by cybercriminals. These tips can help companies avoid potential disaster:

  • Implement Multi-Factor Authentication (MFA): Utilizing MFA can significantly reduce the risk of unauthorized account access, even if credentials are compromised.
  • Beef up email security with artificial intelligence (AI): A state-of-the-art email security solution enhanced with AI will learn a company’s conversation patterns with every email it fields, enabling it to detect and block suspicious activities, including unusual login attempts and anomalous email patterns.
  • Regularly monitor and audit email accounts: Head off trouble before it starts by monitoring and auditing email accounts for unusual activities to catch and mitigate potential email threats early.
  • Train employees with phishing simulations: Educating employees about the signs of phishing and conversation hijacking using phishing simulations is highly effective and can empower them to recognize and report suspicious activities promptly.
  • Establish verification protocols: Implement strict protocols for verifying significant transactions or data requests, especially those made via email, to serve as a crucial checkpoint against fraud like BEC.

As conversation hijacking becomes more prevalent, understanding and addressing this threat is imperative. By adopting robust email security measures and promoting awareness, individuals and organizations can better protect themselves against these sophisticated cyberattacks. The keys to avoiding cybersecurity trouble like conversation hijacking phishing are staying vigilant, educating employees and continuously evolving a company’s defenses in response to emerging threats.

In The Educator’s Guide to Cybersecurity, see the cyber threats that schools face & how to mitigate them. DOWNLOAD IT>>

Kaseya’s Security Suite has the tools that MSPs and IT professionals need to mitigate cyber risk effectively and affordably, featuring automated and AI-driven features that make IT professionals’ lives easier.  

BullPhish ID — This effective, automated security awareness training and phishing simulation solution provides critical training that improves compliance, prevents employee mistakes and reduces a company’s risk of being hit by a cyberattack.     

Dark Web ID — Our award-winning dark web monitoring solution is the channel leader for a good reason: it provides the greatest amount of protection around with 24/7/365 human and machine-powered monitoring of business and personal credentials, including domains, IP addresses and email addresses.    

Graphus — Automated email security is a cutting-edge solution that puts three layers of AI-powered protection between employees and phishing messages. It works equally well as a standalone email security solution or supercharges your Microsoft 365 and Google Workspace email security.      

RocketCyber Managed SOC — Our managed cybersecurity detection and response solution is backed by a world-class security operations center that detects malicious and suspicious activity across three critical attack vectors: endpoint, network and cloud. 

Datto EDR — Detect and respond to advanced threats with built-in continuous endpoint monitoring and behavioral analysis to deliver comprehensive endpoint defense (something that many cyber insurance companies require).      

Vonahi Penetration Testing – How sturdy are your cyber defenses? Do you have dangerous vulnerabilities? Find out with vPenTest, a SaaS platform that makes getting the best network penetration test easy and affordable for internal IT teams.   

Learn more about our security products, or better yet, take the next step and book a demo today!

  • Book a demo of BullPhish ID, Darl Web ID, RocketCyber Managed SOC andGraphus. BOOK IT>>
  • Book a demo of vPenTest BOOK IT>>
  • Book a demo of Datto AV and Datto EDR BOOK IT>>