The hit and run phishing attack plays on an anxiety many of us share. Can you imagine the feeling of getting smacked with a notice from an insurance company about a mysterious hit and run incident involving your vehicle?
Well, these last few weeks many of our customers have collided with this new widespread hit and run phishing attack campaign careening around the internet.
What's going on in the hit and run phishing attack
The attacker sends an email pretending to be from a well-known insurance company. In the email the insurance company claims that the recipient's vehicle was involved in a hit and run car accident. The email claims there is video and photographic proof of the vehicle's involvement.
To get details of the incident, the victim is advised to contact the insurance company via the phone number provided in the email - this brings a vishing (voice phishing) aspect to the scam.Office hours have also been provided to create a more authentic feel to the message.
The context of the email is emotionally charged, urging the victim to clarify the matter with the insurance company ASAP... or else. The email closes with a threat of filing a report with legal authorities if no response is given, which heightens urgency and anxiety. A common social engineering technique is to provoke victims into hasty decisions with fictional consequences.
What happens next
The victim might feel like they are accused of something they didn’t do, and must call the provided number to clear their name. Alternatively, the victim might be left confused and doubting their own memory, which leads to calling the number.
When the victim calls the number, the attacker answers and pretends to be from the well-known insurance company. These attackers are usually professionals and they know how to speak and act to make the victim trust them.
Once the victim is hooked, the attacker could:
- Ask the victim to provide their driver's license details, which includes sensitive information
- Ask the victim to pay a fine either by
- Providing their credit card details on the phone
- Sending money straight to the attacker’s bank account
The scam could happen so fast that it’s over before the victim even realizes what’s happened.
What to do if you receive this kind of message
- Stay calm
- Try to remember if you were really part of the accused situation
- Trust your gut; if you don’t recall anything then someone is probably trying to scam you
- If you do remember something--perhaps your car door brushed another vehicle in a parking lot--still DO NOT contact the insurance company through the contacts in the email. It’s always safer to look up the contacts through the company’s website
- Google the number; sometimes other people report scam numbers that they have come across:
- Check out the sender address - this might expose the scammer
- I.e. in this campaign the emails have been sent from addresses like mail.com, gmail.com, aol.com which are common email hosting services - real companies don’t use these as they have registered domains
- NOTE! Be careful when checking the sender address as it can be spoofed to make it look like it’s coming from the company’s registered domain
- If you do end up calling the number and accidentally give out personal information or bank card details, immediately contact your bank and legal authorities
The attacker's goal is to make the victim panic and hence move fast. When we feel we are under pressure, we might not see the warning signs that would otherwise save us from hasty decisions with irreversible consequences. When spotting anything suspicious or overly emotionally provocative, take a deep breath and think.
If you haven’t been part of a car accident recently, you’re good!
Hoxhunt response
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the phishing training that will protect your company from scams.
Explore more phishing types
- Copyright infringement phishing attacks
- A phish named malware: Email verification scam
- Domain registration phishing attack
- Open Redirects - Weaponizing Trust Built by Legitimate Companies
- Porn scams, Ooh la la
- Recruitment scams
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt