We are all increasingly familiar with, and probably increasingly frustrated by, the use of chatbots to attempt to solve some problem we are having with a company, often delivery of a purchased item. The “virtual agent” (not to be confused with, or as competent or helpful as, an actual agent) will walk you through a series of predetermined steps ostensibly to address your predicament. [There are unconfirmed reports of a chatbot in 2018 that provided a smidgeon of helpful information.] Regardless, we have become accustomed to the need to jump the chatbot hurdle before being assisted by a live being. Ever-mindful of potential victim conduct, fraudsters are capitalizing on chatbot resignation to facilitate their plots.

In a recent article, Bleeping Computer reports on a next generation elaborate phishing scheme. The plan starts with a phishing email about a fictitious undeliverable package from DHL.  An embedded link sends the email recipient to a .pdf document which, in turn, also includes a fraudulent link. The phish is then directed to a supposedly-legitimate web chat where the virtual double agent provides a photo of a package with a damaged address label, and guides the person through questions purportedly to help the delivery company determine the intended recipient’s name, address, telephone number, etc. At that point the person has been duped, but not fleeced.

However, the scheme does not stop there. Once delivery information is obtained, imaginary delivery of the non-existent package is scheduled. The fraudsters even use a false CAPTCHA step to reinforce the authenticity of the verification process.  And then (here it comes) the victim is asked to provide DHL account credentials and credit card information to cover the shipping costs for the package delivery. Clicking the pay button sends the victim a genuine one-time valid pass code via text. Entering the pass code into the website field seals the steal.

At heart, the ruse differs very little from the standard false phishing email. Where the current ploy deviates is its use of legitimate, accepted steps (a .pdf, a chatbot, a CAPTCHA requirement, a one-time valid security code) to lull the victim into a false sense of trust. The best way to avoid getting reeled-in is to avoid the bait. Just as with any plain phishing email, do not click on any embedded links. Question any communication about a package you do not remember ordering or a contest you do not remember entering. And never provide financial information without 100% confidence in the legitimacy of the web site. When in doubt, shout out (call the company).

Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.