You are currently viewing What is “Conversation Hijacking”?

What is “Conversation Hijacking”?

With cyber-crime becoming a new “norm” in our digital world, and the need to deal with a whole new level of sophistication, in this month’s Cybersecurity Minute, we wanted to share some tips around a newer type of theft you need to keep an eye out for:  “Conversation Hijacking”.

Here’s what you need to know:

According to ZDnet, “it’s common for cyber criminals to send emails posing as the company’s CEO to that company’s employees in an attempt to trick the user into following orders from their ‘boss’.”

You’ve probably heard about the recent Brunswick County, NC scam, where between Oct.-Nov. 2020, Brunswick County, NC was scammed out of $4,026,180.07 by a phisher using an email account that looked like it was coming from their client.  The scammer added an extra dash (-) to the domain name, making it difficult to notice at quick glance.  Another disastrous example: A title company in NJ lost $100,000 in a similar situation.

Here’s how it was done:  The scammer created a domain name with an extra i. In both cases, the email looked identical to an email sent by legitimate employees, except for the extra character in the domain name.  Conversation hijacking attempts are more likely to succeed because the phishing message is part of an ongoing conversation.  ZDnet says hackers get into a user’s email account and read through conversations. They also monitor conversations to understand the day-to-day tasks of this user: how they communicate with internal and external contacts, and gain information about business operations, payment procedures, and potential deals in progress. They then use this information to create authentic-looking and convincing messages and reply to ongoing conversations, asking the recipient to click on a malicious link to download a malicious attachment while remaining in context of the situation.

Look at these two examples, can you spot the difference at quick glance?

  1. [email protected]–exchange.com or [email protected]
  2. [email protected] or [email protected]

Tips to protect yourself:

  1. Use strong passwords and change them regularly. Gone are the days of “password123”. If you have trouble remembering passwords, a password management application can help, such as Dashlane, LastPass, or Keeper.  Password managers also provide the option to create unique, strong passwords on the fly.
  2. Always verify account information in person or over the phone with the other party before making any changes to account numbers or making payments. You can find phone numbers and website addresses on monthly statements you receive from your financial institution, or you can look the company up in a phone book or on the Internet. Don’t trust the contact information in the email!
  3. Never provide personal information or passwords in response to an unsolicited request, whether it’s through email, internet, or over the phone. Emails and Internet pages created by phishers may look exactly like the real thing. If you did not initiate the communication, you should not provide any information.
  4. If you receive an email with a link, put your mouse over the link without clicking on it. Make sure the address that pops up is the address you are intending to visit. If it’s different, it’s more than likely a malicious email.

If you are on a mobile device, copy the link address (usually a long press to open the menu) and paste the address in a note app to view the address.

  1. If an email asks you to click a link to log into your account to perform an action, manually go to the website itself and log into the account there. This is especially important if you receive an email saying there was a problem with your payment, or your account will be closed for example. Hackers commonly use fake PayPal account issue emails like this.
  2. If you happen to click on a phishing link and enter your login information, immediately log into your account manually (go to paypal.com, don’t click on any other links) and change your password.
  3. It is best to set up multi-factor authentication on all accounts. This is an option that sends you a text message with a one-time code, or asks for a code from an authentication app.
  4. OCC.gov recommends you review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. If your financial institution offers electronic account access, periodically review activity online to catch suspicious activity.