Phishing: Your friends are out to get you

Rich Banke
Not who it seems

One of the most common responses we get when a phishing email is quarantined is some version of:

“I know them.”
“This is one of our vendors.”
“That’s a customer / friend / business contact.”

 

And that is a reasonable reaction because phishing isn’t random

In fact, familiarity is the bait.

Why "I know them" is exactly how phishing works

When an attacker gains access to a real email account the first place they look is the contact list. Targeted attacks may also impersonate people you know.

Why?

Because emails from someone you already know are far more likely to be trusted.

That’s why phishing emails often come from:

  • Vendors you work with
  • Coworkers
  • Customers
  • Business partners

 

The goal isn’t sophistication.

The goal is trust.

Urgency is often the real red flag

Almost all successful phishing emails have one thing in common: urgency.

Common examples:

  • “Boss needs this done ASAP”
  • “We’re late on this wire transfer”
  • “Please review and sign immediately”
  • “Invoice attached, payment is overdue”

 

Attackers don’t want you to think, they want you to act now.

We live in a world of constant urgency, and phishing emails are designed to blend right into that noise.

"Legitimate looking" delivery methods are intentional

Phishing emails rarely attach obvious malware anymore.

Instead, they often use legitimate looking services:

  • E-signature platforms
  • File-sharing links
  • Cloud document portals

These are commonly framed as:

  • Contracts
  • Invoices
  • Documents to sign
  • Updated payment details

 

The delivery method looks normal, because it is normal.

Its the context that’s wrong.

What not to do

One common mistake we see is replying directly to the email to ask:

“Is this real?”

If the account is compromised, you’re asking the attacker.

Yes we’ve even seen cases where people were reassured by the attacker that “everything is fine.”

If something feels off, don’t reply to the email.

What to do instead

Slow down and verify

When in doubt:

  • Verify requests for action using a different method
  • Call the sender using a known phone number
  • Ask internally before acting

 

Even a 30 second pause can prevent a major incident

In Conclusion: Look for signs of bait and avoid getting the hook

Phishing works the same way fishing does: It uses bait.

And attackers keep getting better bait; Familiar names, real vendors, realistic language, and urgent requests.

In a world built around “do it now”, the safest habit is to slow down and ask one simple question:

Is this actually expected?

Sometimes the bad guy isn’t obvious.

Sometimes they’re just wearing a very convincing mask.