Ring ring, I'd like access to your e-mail please
This short is a story about spear phishing. Phishing is a crafted lie to trick someone into granting access to someone usually lying about who they are and why they need access. Spear phishing is an attack backed with research about a particular individual and organization to enhance the lie. These sort of things happen everyday. Kevin Mitnick writes about this type of attack in his book The art of deception.
It's quarter after 4 on a Wednesday afternoon. My telephone rings, who could it be? I pick up and say hello, the young lady on the other end greets me and claims to be from GoDaddy support.
At first I think this is a legitimate phone call so I listen for her instructions. She asks me to change the account information so it is in my name, not the person it was opened with. At the same time she asks for a support pin accessible from GoDaddy's website once logged in. Once she was asking for a piece of authentication the alarm bells went off in my head. I refused to give up the pin or change contact info and instead asked what the phone call was about. She insisted that until I could change the account holder and verify my self as the account holder then she could tell me what the call was about and why she needed access. She puts me on hold.
A little technical background... The GoDaddy account holds the e-mail server encryption key. In layman's terms this account has access to the lock and key mechanism that encrypts or "mathematically scrambles" e-mails into cipher text so 3rd parties on the internet cannot read them. If the key in the account was compromised they would be able to decrypt and read all the e-mails from our company floating through the internet.
At this point I tell her why I simply cannot give her the support pin. I state "Right now you're just a stranger on the phone". She was good, she re-iterated my point telling me that I'm just a stranger on the phone too and she needs to authenticate me. I ask her to send me an email with valid links so I can verify her. She tells me she will email the account holder and have them forward the email to me.
The account holder never got the alleged e-mail.
If you've ever wondered why phishing is still a thing in this day and age it's because it works. The SANS institute reports that 95% of successful corporate breaches are due to successful phishing attempts. Today, phishing remains the easiest and most effective way to compromise a network.