The next wave of phishing attacks


You're getting better at noticing those fake "hey, I need you to do something for me" notes from (what looks like) your boss. You forward them to IT support and say "this looks like phishing to me" - they thank you and you enjoy your ability to discern a legitimate email from a fake one.


That's a great skill, and critical to the security of your business. But there's another one looming on the horizon and it's just a matter of time before the bad guys figure out how to do it convincingly.


The next wave will be the fake IT support call.

You don't know all the people who give you IT support. It's often just a faceless, nameless "hi, this is IT support calling" or maybe a first name which you promptly forget.

How do you know who is calling you is whom they say is calling?

"Hi Mary, this is IT support - sorry to bug you but it looks like your account had a security breach so we need to do an emergency password reset for your safety. I need around 2-3 minutes of your time now." - are you going to hang up on that person? Are you going to trust them? Do you know if they're actually the proper people to do this?


If you're not careful, a fake IT call will effectively hand the entire keys of your account to an unauthorized person. They'll demand you read them the two-factor code sent to your phone. They'll tell you this is required for your safety.


Discuss with your organization how you will verify who the IT people are - what methods will you have to verify? If you've never met them, how will you know their voice? If you know their voice, how will you know it's not a synthesized recreation or other kind of deep-fake?


Computer security is getting better, forcing the bad guys to get even more sophisticated. If you're not falling for the "need you to buy some gift cards, but don't tell anyone it's a surprise" scams, you're doing well, but there's more vigilance required ahead. Plan with your team how you'll ensure that you only will allow the right people to help you.


The best source of trust may end up being zero trust - this requires tools, planning, and continual education for your staff.