Modus operandi for hackers

Hackers email legitimate looking mails (phishing) that usually have some form of urgency, and include a link. The user clicks on the link, the web page they are taken to looks like Microsoft, for example, and the user then enters their credentials to log in, thereby giving their username and password to the hacker.

The hacker then accesses the users mailboxes via webmail, and reads through mails to see who is doing high value transactions, who is in charge of accounts, or who is management in the company.

Once they have identified a possible transaction, they create rules for specific incoming mails that will mark them as read, and move them to un-used folder.

They then interact directly with the external party (spoofing), usually requesting a change of bank details. This is how they steal money.

They export contacts to build their database.

They use your email and contacts to phish the next batch of people.

Please remember that no serious business would ever phone or send an email asking a user for their credentials (username and password). Practice a zero trust policy when it comes to security. It is the only way to stay safe.