Just when you think everybody knows how to spot a common phishing attack, a few easy adjustments by attackers can create a brand new, dangerous pretext.

Missed delivery notifications are suddenly relevant again

We all know that FedEx and UPS missed delivery notifications are commonly used by attackers to try to get people to open infected invoices or follow malicious links. But as the pandemic drags on, creating new supply chain complications, there are new pretexts around “missed deliveries” that attackers can now use that are compelling enough for many people to open them.

Brand impersonation is always a productive tactic

While more of us tend to only deal with more reputable suppliers, those suppliers are becoming even bigger subjects of impersonation attacks. DHL is now the most impersonated brand online. That would not likely be the case if these impersonations of respected shipping companies didn’t work for attackers.

Convincing people to enable document macros is still easy

Software vendors like Microsoft can’t seem to help changing the user interface to commonly used products like Microsoft Office, which results in confusion among end-users around whether or not warnings about “external email” or “document macros” should be followed, or ignored. Most people see confusing macro warnings as an annoyance, but when instructions are given that indicate macros must be enabled to view a document, then it is easy for an attacker to social engineer the end-user into opening the door to a malware attack.

Are you ready?

Reduce your employees' phishing vulnerability by 60%

If you’re tired of security awareness training that doesn’t work and live phishing simulation campaigns that are more trouble than they are worth, we guarantee our gamified, immersive phishing awareness training will reduce your phishing vulnerability by at least 60%, or your money back

The “Missed DHL shipment notice and invoice” scam combines all three

A very effective attack has now evolved that combines the above three tricks in a compelling way, that effectively exploits employees. While it may seem unlikely to many IT managers that employees would miss so many clues, there are psychological factors at play that most of us may discount, at our own peril.

As an example of how ridiculously effective some obvious attack techniques can be, you should listen to the “Aware Much?” segment in a recent episode of the Shared Security Show where we discuss a Psychology Today articles on how psycho-therapists are being scammed with social engineering techniques they are fully aware of.

The solution starts with engaging employees in an immersive way, to learn fundamental phishing clues

Clearly, the success of these evolving phishing attacks shows that people are missing the fundamental clues for spotting phishing messages, when a few techniques can be “reskinned” easily to create new, successful pretexts.

We’re really in a constant battle, where your team needs to be able to spot the basic elements of an email message to quickly sort through the safe and suspicious email messages they receive.  What’s needed is a new approach to phishing awareness training that engages employees to focus on learning key phishing fundamentals.

This is where Click Armor’s unique approach to phishing awareness is extremely effective. Our immersive simulation environment not only works, but is efficient and fun for end-users. Click Armor motivates people to improve their skills in ways that computer-based training and live phishing simulation campaigns simply can’t.

What if there was a way to guarantee that your team would be better prepared for these evolving phishing attacks?

We are so confident in our approach that Click Armor offers a money-back guarantee if your team doesn’t reduce its phishing vulnerability by at least 60% within the first 30 days.

To start a free trial, and experience how you can reduce your team’s vulnerability now, please use the button below.


Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.