SMBs are being targeted by this new phishing scam — make sure you don't fall victim

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

Hackers have been spotted abusing a known email service provider (ESP) to target businesses with convincing phishing emails and steal their login credentials.

Cybersecurity researchers from Kaspersky uncovered this new phishing campaign that exploits SendGrid, a Colorado-based email service provider which, as of 2021, has had more than 80,000 clients. 

Its clients are mostly small and medium-sized businesses (SMB) which use the services to communicate with their customers, sending emails in bulk, fast and cheap.

Bypassing email security

According to the researchers, unnamed attackers exploited SendGrid to access client mailing lists, and used those to send custom-tailored, well-built phishing emails. The emails, they said, appeared quite authentic, significantly increasing the chances of success.

In the emails, the attackers impersonated SendGrid and demanded users activate multi-factor authentication (MFA). The emails further carried a link which, if clicked, led to a landing page that mimicked the SendGrid login page, but was instead under the control of the attackers.

There, whoever typed in their login credentials essentially shared them with the attackers. 

Besides super convincing phishing emails, another thing makes this campaign particularly destructive - the fact that it successfully bypasses traditional email security measures. As the emails go through a legitimate service and show no obvious signs of fraud, most email security solutions did not filter them out and instead had them land right in the inbox. 

“Using a reliable email service provider is important when it comes to your business’s reputation and safety,” said Roman Dedenok, a security expert at Kaspersky.

“However, some sneaky scammers learned how to mimic reliable services – so it is crucial to check the emails that you receive properly, and, for better protection, install a reliable cybersecurity solution.”

One of the best ways to protect against phishing is to train the staff to be able to spot email-borne attacks, Kaspersky concluded. 

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.