Skip To The Main Content

PSNI issue warning on phishing scam

We have recently been advised by the PSNI of an ongoing scam through which businesses’ email accounts are being compromised and their contact lists are infiltrated in an attempt to spread both internally and externally. 
In short the campaign works as follows:
1. Victim receives an email from a 3rd party already compromised and holding their address in a contact list
2. Victim is prompted to open a pdf containing a url or to click on a link to open an invoice or secure document
3. Victim visits malicious url and enters account username and password thus compromising their email account
4. Suspect accesses account from external IP and sets up mail rule (i.e. divert incoming mail with suspect subject lines to trash)
5. Suspect sends phishing email to victims contact list hoping to compromise further accounts. Any bounce backs or challenges go to trash due to mail rule at point 4 and victim remains unaware. 
6. Unless detected the account remains compromised until a password change is made and the suspect can view emails and if appropriate attempt an invoice redirect, CEO fraud etc etc 
NB – we have seen mail forwarding set up as an alternative to ‘divert to trash’ meaning a password change will not secure the account. 
As you may be aware the use of compromised accounts to send phishing emails increases the chances of a recipient clicking on the link. This together with ever changing urls can make it hard for firewall rules to be put in place that will give anything more than a short term protection.  While the url seen on Friday has now been disrupted new variants will no doubt be in circulation. 
Key to this type of incident is the willingness of staff to click on or follow a link. Irrespective of whether they enter a username and password, navigating to the suspect url obviously risks exposure to malware. The nature of this current phishing campaign means once in a certain business sector, without a collective approach, the email can circulate and return to a victim in a different guise. 
We would strongly urge all businesses to make staff aware of the risks of entering a username and password as the result of following a link and ensure that clear guidance is given as to when they should contact your relevant IT department or provider. 
PSNI would encourage anyone involved as a system administrator or Incident management to consider seeking membership of the Cyber Security Information Sharing Partnership (CiSP) details of which can be found at