Sign in Subscribe

What if a Phish isn't really a Phish?

Dennis Keefe, OSC

4 min read
What if a Phish isn't really a Phish?

The Scenario: "Operation Shadow Invoice"

In this hypothetical case, an employee in the Accounts Payable (AP) department collaborates with an external cybercriminal to circumvent standard email security protocols.

1. The Setup (Insider Reconnaissance)

The employee identifies a legitimate, high-value recurring vendor that the company pays monthly. They provide the external accomplice with:

  • A copy of a recent, legitimate invoice (to copy the branding and format).
  • The specific internal naming conventions for email threads.
  • The exact dates when the Controller usually approves batch payments.
  • A list of "out-of-office" dates for key department heads to ensure the scam occurs when oversight is thin.

2. The Execution (The "Fake" Phish)

The external partner sends a highly targeted "spear-phishing" email to the AP department. Because of the insider's data, the email is perfect:

  • It references a real project code and a pending payment.
  • It claims the vendor is undergoing a "banking audit" and provides "new" wire instructions.
  • The Twist: The insider employee "stumbles" upon the email first and replies to it internally, adding a note like, "I spoke with the vendor on the phone; these new details are verified," giving the scam immediate internal credibility.

3. The Payload

The Finance Manager, seeing the internal validation from a trusted colleague, updates the payment system. The funds are wired to a mule account managed by the third party, then quickly laundered. The insider receives a kickback via cryptocurrency.

How to Protect Against Collusive Phishing

Preventing this requires moving away from "trusting the person" and toward "trusting the process."

Technical Controls

  • External Email Tagging: Ensure all emails originating from outside the organization are clearly flagged with a banner, even if they look like internal vendor communications.
  • Impossible Travel & Login Alerts: Use SIEM (Security Information and Event Management) tools to monitor if the employee’s credentials are being used from unusual locations or if they are accessing files (like old invoices) that aren't relevant to their current tasks.

Administrative & Procedural Controls

  • MFA for Banking Changes: Require Mandatory Out-of-Band (OOB) Verification for any change to vendor banking details. A staff member must call a known, pre-existing number for the vendor (not the number in the email) to confirm the change.
  • Segregation of Duties: Ensure the person who enters banking information is never the same person who authorizes the payment.
  • The "Four-Eyes" Principle: High-value transactions should require two separate logins from two different departments to be released.

Awareness & Training

  • Collusion Awareness: Train staff to recognize that "internal" confirmation isn't a substitute for formal verification.
  • Whistleblower Hotlines: Provide a secure, anonymous way for other employees to report suspicious behavior or sudden, unexplained wealth in colleagues.

As a cybersecurity practitioner, I appreciate the request to deepen the analysis of this hypothetical "collusive phishing" scenario.

Uncovering an insider threat where an employee is actively conspiring with an external party is notoriously difficult because standard security tools (firewalls, email filters, MFA) are designed to block unauthorized access. In this case, the access is authorized—it's being misused.

This is where Open-Source Intelligence (OSINT) becomes an invaluable investigative asset. OSINT doesn't require "hacking" into private systems; instead, it involves the sophisticated collection and analysis of publicly available information to identify inconsistencies, hidden relationships, and behavioral red flags.

Here is the OSINT angle for uncovering this type of collusive scenario.

The Goal of OSINT in This Scenario

To prove collusion, we must use OSINT to bridge the gap between internal corporate data (standard logs) and external public data. We are looking for:

  1. Undisclosed Connections: Proving the insider and the external partner know each other outside of work.
  2. Sudden Lifestyle Changes: Identifying expenditure or assets that don't match the employee's known salary.
  3. Digital Contradictions: Finding public information that invalidates the employee’s story (e.g., they claimed to call a vendor, but OSINT shows the vendor’s numbers were down).

OSINT Investigation Workflow & Techniques

An investigator would start with the names and known identifiers (emails, phone numbers) of the suspected employees (in AP and potentially the approving Controller) and the known vendor details.

Phase 1: Analyzing Social Networks & Connections (Relationship Mapping)

The Hypothesis: The employee and the cybercriminal are already acquaintances.

  • Social Media Cross-Referencing: Using tools to find overlapping connections between the employee's public profiles (LinkedIn, Facebook, Instagram, Twitter/X) and those of potential external third parties.
  • Historical Connections: Analyzing public university alumni databases, past employment records, or professional organizations to see if the targets overlapped chronologically and geographically in the past.
  • "Interaction" Analysis: Looking beyond "following" lists to analyze who consistently "likes," comments on, or tags the target in public posts. A third party who frequently interacts with the AP clerk's personal photos is a "person of interest."

Phase 2: Analyzing Digital Footprints (Behavioral Contradictions)

The Hypothesis: The employee lied about the method of verification used in the scam.

  • Vendor Infrastructure OSINT: If the employee claimed they "verified the banking change on the vendor’s website," investigators will use historical DNS records (like WHOIS or RiskIQ) to see if the vendor’s legitimate website was actually down, modified, or if a look-alike domain was registered recently.
  • Telephone/Communication Records: While phone logs are private, OSINT can use "reputation" databases for phone numbers to see if the number the employee claims to have called has recently been flagged in scam databases or is associated with VOIP services known for anonymizing callers.

Phase 3: Lifestyle & Asset Analysis (The "Wealth Gap")

The Hypothesis: The employee is receiving laundered kickbacks.

  • Real Property & Asset Searches: Searching public county or city tax assessor databases for recent real estate purchases, mortgage registrations, or luxury vehicle registrations in the employee's name or the name of close relatives.
  • Social Media Sentiment & Imagery: Analyzing public Instagram or Facebook posts for sudden increases in high-end travel, expensive luxury purchases, or displays of wealth (jewelry, new cars) that create a clear "lifestyle inconsistency" relative to their AP clerk salary.

Phase 4: Exploiting Data Leaks (The Smoking Gun)

The Hypothesis: The employee is using personal, compromised accounts to coordinate the scam.

  • Breach Data Analysis: While practitioners must adhere to legal frameworks, checking publicly known data breach repositories (like Have I Been Pwned) can show if the employee’s personal email addresses were compromised.
  • Forum & Dark Web Monitoring: Searching for the employee's known personal usernames on hacker forums or marketplaces where "insider access" is often bought and sold.

Conclusion: Why OSINT Matters

OSINT provides the "context layer" that internal transaction logs cannot. It turns unstructured fragments of public information into structured leads. In this collusive phishing scenario, OSINT is often what moves an internal investigation from mere "suspicion" to a verifiable "chain of evidence" showing premeditated fraud.

Disclaimer: All OSINT activities must be conducted ethically, legally, and within the policies of the organization and the jurisdiction.

I would love to hear your thoughts about this type of scenario.

Contact

Sign up for more like this.

Enter your email
Subscribe