Most online services have a built-in security system that alerts you when it detects “unusual” activity on your account. For example, services send notifications about attempts to reset the phone number and e-mail address linked to the account, or the password. Of course, as soon as such messages became commonplace, enterprising cybercriminals tried to imitate this mechanism to attack corporate users.
If it’s a public online service attackers will usually make every effort to create exact copies of a real message. However, if attackers are hunting for access to an internal system, they often have to use their imagination as they might not know how the email should appear.
Everything about this message looks ridiculous, from the incorrect language to the rather dubious logic — it seems to be at once about linking a new phone number and about sending a password reset code. Nor does the “support” e-mail address lend credibility to the message: there is no plausible reason why a support mailbox should be located on a foreign domain (let alone a Chinese one).
The attackers are hoping that their victim, fearing for the security of their account, will click the red DON’T SEND CODE button. Once done, they’re redirected to a website mimicking the account login page, which, as you’d imagine, just steals their password. The hijacked mail account can then be used for BEC-type attacks or as a source of information for further attacks using social engineering.
To minimize the chances of cybercriminals getting their hands on employees’ credentials, communicate the following to them:
In general, it’s best to keep phishing e-mails out of employee inboxes altogether. Ideally, they (plus all other unwanted correspondence, including spam, messages with malicious attachments and BEC-related e-mails) should be intercepted at the mail gateway level. To combat these very threats, we have recently updated our e-mail protection solution for gateways.
Article Source: kaspersky.com
Before you start risking your money, check the credibility of the desired website. Search for its URL in the our long list of Scam sites, or send us a request to check its validity, and do not register, buy or invest in it until you are sure of the validity and legality of that website or platform.