An estimated 3.4 billion spam emails are sent every day, making phishing the most common form of cybercrime. A lot of businesses still fall victim to phishing attacks, but more are becoming vigilant about them. Yet, just as they are evolving, so too are attackers. Cybercriminals are now conducting phishing through website forms.
Those “contact us” pages on your website may introduce serious contact form security risks if they are not properly monitored. So, in this blog, we’ll go over contact form security risks, real-world examples, and how to secure them.
Contact Form Security Risks
A contact us form may seem harmless on the surface, yet phishing through website forms is becoming an increasingly common attack. Common vulnerabilities that may lead to contact form security risks are:
- Phishing Entry Point- Some businesses have spam filters set up to block phishing emails, and hackers know this. So, they will opt to use a contact us form to bypass these filters. It gets them talking with a person from the organization they’re targeting with no hassle.
- Trust Exploitation- When businesses receive a message from their “contact us” form, they expect it to be a genuine inquiry. So, employees will often engage without suspicion. This is a consequence of this attack still being very new.
- Social Engineering- Since attackers can easily interact with a victim through this form, they’re able to build a rapport over days or weeks. They make themselves act as a legitimate prospect or customer and then send over malicious files that lead to a cyberattack.
This attack isn’t theoretical either; phishing through website forms is happening now across various industries.
Photo by The Hacker News
Real-World Examples of Phishing Through Website Forms
This attack is still relatively unknown, but it is a highly sophisticated operation. Check Point Research has been monitoring these social-engineering attacks. They have mainly been targeting supply-chain critical manufacturing companies.
The attacker will initiate contact through the “contact us” form. They may use old, real domains, websites, and anything else a real company would have to appear legitimate. After they gain the trust of the victim, they deploy a ZIP archive including a script that gives hackers access to their network.
This can allow hackers to conduct data theft, ransomware extortion, financial fraud, and supply chain disruption. Reportedly, dozens of organizations have been targeted in these campaigns.
Example of an Attackers Message
How to Secure Contact Forms Against Hackers
While these attacks are highly sophisticated, businesses can reduce contact form security risks with the right cybersecurity practices. Here’s what you can do right now:
- Employee Training and Awareness- Your staff may already be trained on how to spot a phishing email, but they need to also understand the contact from security risks associated with website inquiries. Common red flags to look for are unusual requests, prolonged back-and-forth, and unexpected file attachments.
- Response and Escalation Policy- Along with proper employee training, there should also be a response and escalation policy set up. You should establish clear procedures for handling form submissions and encourage employees to verify requests before responding or downloading files.
- Proactive Defense- A company by itself can only do so much; that’s why we recommend partnering with a managed security provider (MSP). These providers can offer continuous monitoring, incident response services, backup & disaster recovery, and more to keep your business protected.
Don’t Let Your Contact Form Be the Weakest Link
With all this in mind, is your business ready for these contact form security risks? It’s clear that contact form security risks are no longer something businesses can ignore.
Real-world attacks such as the ZipLine attack prove that any business is vulnerable to these sophisticated cyberattacks. If your organization doesn’t have the time or resources to get an in-house IT team, consider an MSP like Kirkham IronTech.
We work with businesses to help secure your IT and cybersecurity infrastructure from attacks such as these. With threats evolving rapidly, we take care of the IT so they can continue doing business.
If you’re unsure about how secure your business may be, we offer a free cybersecurity and IT infrastructure assessment. This will give you a breakdown of your cybersecurity and IT vulnerabilities with no fluff, just facts. Kind of ironic that we talked about “contact us” forms and now we’re directing you to one. The difference is that ours connects you to a real team that wants to protect your data, not cybercriminals trying to steal it.
Tom Kirkham brings more than three decades of software design, network administration, and cybersecurity knowledge to organizations around the country. During his career, Tom has received multiple software design awards and founded other acclaimed technology businesses.
