Why Simple Email Phishing Attacks Are Sometimes Also The ‘Scariest:’ Inky CEO

Threat actors are ‘increasingly’ turning to attacks that are nearly impossible for security tools to catch, says Dave Baggett, co-founder of email security vendor Inky.

Threat actors are “increasingly” turning to email phishing attacks that are both simple and also nearly impossible for security tools to catch, according to Dave Baggett, co-founder and CEO of email security vendor Inky.

That makes these recently observed phishing tactics some of the sneakiest Baggett has seen to date, he said Sunday during a session at the XChange August 2024 conference, which is hosted by CRN parent The Channel Company and being held this week in San Antonio.

[Related: 10 Cool Security Tools For MSPs To Know In 2024]

In particular, Baggett said that attackers exploiting free online services has become more of an issue. Of several attack examples he shared during the session Sunday, Baggett said that a recent attack utilizing Venmo was “the most simple, least technical one” but also the “scariest.”

In the attack, the threat actor created a free Venmo account and sent a request for payment to the victim. And in the memo for the request, the attacker wrote, “you paid $99.99—if this is an error, call this number.”

“And then what do you think happens? The person calls the toll-free number and they say, ‘Give me your credit card information, I’ll look you up in our system,’” Baggett said.

Such attacks are the kind of thing that MSPs are constantly having to keep up with, said Kelli Frederick, director of productivity solutions at Indianapolis-based Catalyst Technology Group.

“It’s daily that you get a phone call from a customer saying, ‘I got this email, is this safe?’” Frederick said.

“And sometimes it’s new. Sometimes it’s something you’ve never seen before,” she said. “And just when you think you have it figured out, and you know what to look for—then lo and behold, there’s a Venmo request that's legitimate.”

Baggett said such attacks are so difficult for most security tools to catch because “this is a perfect email” from the standpoint of legitimacy.

With “every single aspect of the mail security infrastructure, this thing passes because it’s a real email from Venmo,” he said. “You have to have a dedicated model that knows about this kind of tactic and looks for this kind of language.”

Ultimately, “we're seeing increasingly more of this and of course it’s because the attackers know this is really, really hard to defend against,” Baggett said.