Let’s say a fraudster chooses to target an international corporation. First, the hacker will try to find out as much information as possible: How is the company structured? How do employees communicate? In which areas does the company operate? The hacker also needs email distribution lists to obtain email addresses. However, the attacker won’t send an email to the entire company. The risk would be too great that the attempted fraud would be detected quickly and the whole company would be warned about the attack.
Instead, the scammer sends the email only to selected people and addresses these individuals personally. The attacker has already collected detailed information about these employees via social media. That way the message will seem more trustworthy to victims. The attacker makes the email look like it was written by a high-up employee from another branch. The sender name and address are very easy to fake, so at first glance the recipient won’t know that someone else is actually sending the message.
The attacker embeds a button with a link in the email that directs the victim to a website that is also fake. The actual destination is disguised. Once the user has opened the website, malware can be loaded in the background. If the malware spreads to the victim’s PC, the hacker may be able to spy on the entire corporate network.
At this point, the victim still thinks they’ve opened a normal website to take part in a survey, for example. This allows the virus to spread unnoticed throughout the corporation’s network and gives the attacker full access or the ability to disrupt mission-critical processes.