The business social network LinkedIn is being used by hackers to make contact with potential victims, in order to soften them up and make them more receptive to malicious emails.
That was one of the revelations from the web seminar today, called 'Are you a phish or a whale?', hosted by V3 sister site Computing.
Abby Ewen, IT director at law firm BLM, said that her organisation has recently experienced a particularly determined phishing attack.
"We have had, both via an email and telephone, an attempt to extort money by someone purporting to be the CFO. It was intercepted both times because we have some very vigilant people trained to spot things that don't look right.
"We had one this week: a scam email passed to me by a partner, and the person who sent [the scam mail] had connected with the partner on LinkedIn prior to sending the email.
"LinkedIn was used as the front door into the scam," she said.
Phishing has become a major threat to businesses in the UK, topping better known and more headline-grabbing cyber-crime activities, such as distributed denial of service (DDoS) attacks.
This was one of the key findings of V3 sister site Computing's latest research into IT security, presented during the webinar.
Phishing is the art of acquiring sensitive information from a target by offering them some form of bait. This bait might include a fake message purporting to be from a friend or colleague, an invitation to an important meeting, or an invoice with a malicious payload. Clicking on the link or the attachment activates a chain of events that ends up infecting the user's PC, and exposing it to the attackers.
Spear-phishing is a highly targeted form of phishing, while whaling is the same process, only targetting high-profile enterprise targets rather than individuals.
Phishing has become increasingly prevalent because of its simplicity, said Orlando Scott-Cowley, cyber security specialist at security firm Mimecast (pictured).
"We use phishing to mean all the types of attack you see in email. Email has become the threat vector of choice because it's easy. There are no skills needed, and you can attach a pre-built piece of malware to your message. It has become far easier than the classic network or IP-based attacks we're used to seeing," said Scott-Cowley.
One of the problems, he added, is that people trust their email in-boxes, and this misplaced trust is exploited by cyber criminals.
"The problem is that we trust our in-box too much, we feel like we're protected behind that infrastructure. Cyber criminals use that trust against us to trick us into clicking their links," said Scott-Cowley.
BLM's Ewan gave the example of a fake email that appeared to come from vehicle registration and licensing body the DVLA, which arrived at the law firm recently.
"One day we had 2,500 copies of the same email in ten minutes, which purported to come from the DVLA. The email had a specific car registration number and people still clicked on it [despite the registration number listed not being their own]. One person clicked who didn't even have a car! It's because people are very busy, and the default is to click on things," she said.
Ewen went on to describe the protections she has put in place at BLM.
"We now sandbox all attachments. We receive around 35,000 per week and we check all URLs that come in. We see between five and 10 malicious attachments per week. Of the 6,500 URLs clicked per week, about 10 go to malicious sites. It's interesting to see how messy the internal environment would be if we didn't have that protection," she concluded.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago