Ambush Phishing: Don’t let it happen to you

Inspired by nature, hackers have developed a new stealthy technique to dupe their victims: “Ambush phishing”

Some of the most successful predators in the animal kingdom are not the biggest, strongest, or the fastest. Rather, these predators have evolved techniques to conceal their presence by laying motionless, patiently wait for prey to wander within striking range before launching their attack.


These predators are known as ambush predators, and online hackers are turning to such techniques to attack their victims.

Phishing Tactics

Phishing techniques are now fairly well-known among the internet community. Attackers attempt to obtain sensitive information such as bank account numbers, credit card information, or online passwords by sending requests disguised as legitimate correspondence from a trusted entity. Attackers then use the information they receive from victims to gain access to email and/or financial accounts to continue their attack, often stealing money from their victims.

To increase the efficacy of phishing techniques, attackers have targeted specific individuals with a practice called spear phishing by leveraging specific details learned about the targeted individual to make the fraudulent request appear to be just as legitimate as standard requests victims typically encounter.

As victims become more aware of phishing and spear phishing techniques, attackers are now implementing techniques I call ambush phishing.

Ambush Phishing

Ambush phishing has rapidly increased in prevalence this year among individuals buying homes in the United States. The majority of home purchases are funded with some kind of cash down payment, and that down payment is frequently sent by a wire transfer between the buyer’s bank and an escrow company.

Attackers exploit this known process of wiring funds to an escrow company by targeting individuals involved in the home buying process, specifically the real estate agent representing the buyer and/or the escrow company involved in supervising the transaction. Ambush phishing is the second step of the attack, as hackers first need to compromise communication channels by gaining access to the buyer’s agent’s email account or that of the escrow company.

Ambush phishers monitor correspondence in the compromised email accounts and wait until the day the down payment is expected to be wired. Typically, the escrow company sends its wire instructions and account information to the buyer, who then instructs his/her bank to wire money to a specific destination, but real estate agents can also provide the information as a courtesy to their clients.

Shortly after seeing the legitimate wire instruction correspondence sent to the buyer, attackers will send a new message to the buyer masquerading as a follow up message. In the forged follow up message, attackers apologize for originally sending incorrect wire instructions for the transfer, and instead offer new wire instructions that are the ones to be used.

To increase the efficacy of the ambush phishing, attackers will often add language about the time sensitive nature of the wire transfer and that the transfer needs to be completed immediately or the entire home transaction may be jeopardized, resulting in the buyer losing the home of his/her dreams.

Due to the time-sensitive nature of the email communication, victims often do not think to verify the wire instructions by first contacting the escrow company or real estate agent by phone or in person. In addition, attackers will likely wait until a few minutes before the cutoff times for wire transfers for the day (information that is generally available on most major bank websites). If wire transfer cutoff times coincide with the closing business hours of the escrow company, buyers may not successfully reach an employee of the escrow company to authenticate the instructions they receive even if they do try and contact someone at the company!

The odds of recovering funds wired to the attacker’s bank significantly decrease as time goes by, and the options to interrupt or reverse wire transfers vary widely across financial institutions. Ideally, the best odds against an ambush phishing attack are to identify and thwart the attack before a wire transfer is submitted.

I found several examples of ambush phishing exploits covered in recent publications:

Defending Against Ambush Phishing

I see two main methods to defend against ambush phishing: Two-factor/multi-factor authentication (2FA or MFA) and outbound verification.

Generally, ambush phishing is carried out by first exploiting the email accounts of real estate agents or escrow companies. One of the better defenses for email accounts is to enable two-factor authentication. Not only do the login credentials need to be correct to access the account, users also need to enter a one-time code obtained through a second method, typically a mobile device. A popular two-factor authentication solution is Google Authenticator app for iOS and Android.

Google Authenticator is arguably a better verification solution than codes delivered via SMS, as attackers have reportedly been successful in gaining control of mobile phone numbers by tricking cellular carriers to port phone service to another SIM card. Google Authenticator is a software-based token app that, while it runs on a mobile device, does not verify a user’s identification using SMS communication. So wherever possible, enable two-factor authentication using a software token app such as Google Authenticator for your accounts that contain sensitive information.

The second method to defend against ambush phishing is developing a habit of making outbound verification. In the home buyer example cited above, customers who make an outbound phone call to the real estate agent or escrow company involved in the transaction should be able to verify wire instructions verbally over the phone.

A problem with inbound phone calls for verification is that attackers, once again, can spoof the caller ID displayed on the incoming call and pretend to be an employee of the real estate agency or the escrow company. Here, too, information about company employees is often accessible through the company’s website or by conducting a quick LinkedIn search. Note that inbound calls are also used by attackers that claim to be representing Microsoft or other computer companies to get victims to install malware on their computer.

Be Prepared

Now that you are familiar with the technique of ambush phishing, you are better prepared to resist becoming a victim of these clever attacks.

Have you encountered an ambush phishing attack in your work? Also, what other ways do you recommend protecting accounts from ambush phishing? Share your insights in the comments below or reach out to me on Twitter, I’m @billwinterberg.


Comments are closed.