The Phish Behind the Inbox

This type of scam is a business email compromise (BEC) attack. In this scheme, cyber criminals gain access to a legitimate business email account—sometimes belonging to a real employee or vendor—and use it to send out malicious messages. You might see what looks like a routine file-sharing notification or document request, complete with a PDF attachment and a sender address that appears legitimate. Since everything looks normal, you may be inclined to open it.

That’s exactly what the attacker is counting on. The PDF isn’t what it seems. When opened, it directs you to a fake login page designed to harvest your credentials. Some even include an extra step, like a phony “security verification,” to appear more authentic. Once you type in your username and password, the criminals behind the attack immediately gain access to your account—or worse, your organization’s systems.

How to protect yourself from this kind of phishing attack:

• Be alert to attachments that open a browser window. If clicking a file suddenly takes you online and requests your login information, stop immediately. Legitimate documents don’t usually behave that way.
• Don’t be fooled by fake security prompts. A “verification” or “authentication” message doesn’t confirm legitimacy; attackers often use these to add false credibility.
• Trust, but verify. Even if the sender appears familiar or the domain looks correct, confirm the message through another channel—especially if it’s unexpected or involves an attachment or link.

Cyber criminals rely on human trust as their entry point. A quick pause to inspect an email before opening it can make the difference between a normal day and a costly breach.