It seems new phishing campaigns are on a rise. Another phishing campaign comes into limelight after CISA issues alert for users. Allegedly, the malefactors are now preying on users via DHS email phishing scam.
DHS Email Phishing Scam
According to the latest alert issued by the Cybersecurity and Infrastructure Security Agency (CISA), a new phishing scam is on the rise. This scam allegedly takes advantage of the U.S. Department of Homeland Security (DHS).
The campaign tricks users by sending malicious attachments via emails that resemble DHS notifications. Downloading the attachment installs malware on the target device that may execute malicious activities as directed by the attacker. Owing to the apparent legitimacy of the email and the spoofed email address, the users may inadvertently fall prey to this scam.
As stated in the CISA advisory,
The email campaign uses a spoofed email address to appear like a National Cyber Awareness System (NCAS) alert and lure targeted recipients into downloading malware through a malicious attachment.
Protecting Yourself From Phishing Attacks
Most phishing scams work by sending spam emails to users to trick them. The emails either carry links to malicious web pages from where the next action would proceed. Or, these may include malicious attachments that download malware into the target system once opened by the user. Thus, the first step to protecting oneself from phishing scams is to practice utmost care while dealing with unsolicited emails.
CISA also recommends the same to users regarding this DHS email phishing scam. They advise the users to independently verify the web addresses even for emails from known senders. Besides, they also clearly state that they never send NCAS via emails.
Use caution with email links and attachments without authenticating the sender. CISA will never send NCAS notifications that contain email attachments.
The users may also visit the detailed security tips from CISA about avoiding social engineering and phishing attacks for awareness.
Recently, we also heard of two other phishing campaigns actively going in the wild. One of these campaigns tricks users by generating fake alerts about the receipt of an encrypted message. Whereas, the other one exploits Google Calendar alerts to bluff users.
Let us know your thoughts in the comments.