5 Social Engineering Attacks Hitting Chicago Businesses Right Now
These aren't hypothetical. These are the attacks we're seeing in our assessments this quarter. If your team doesn't know about them, they're walking into a trap.
These are live. Right now. This quarter.
I'm not going to waste your time with theoretical attacks or things that might happen someday. Everything in this article is something we've seen in the wild during our assessments of Chicago businesses in the last 90 days.
Your team is seeing these right now. The question is whether they recognize them.
1. The Microsoft 365 "session expired" email.
This one is everywhere.
Your employee gets an email saying their Microsoft 365 session has expired and they need to re-authenticate. The email looks perfect. Microsoft logo, correct color scheme, footer links that actually go to microsoft.com. The "Sign In" button goes to a page that is pixel-for-pixel identical to the real Microsoft login.
Except the URL is something like microsoftonline-auth.com instead of login.microsoftonline.com.
Employee types in their email and password. The fake site captures the credentials and immediately uses them to log into the real Microsoft 365. The attacker also intercepts the MFA prompt by relaying it in real time. This is called adversary-in-the-middle (AitM) and yeah, it beats basic MFA.
What makes this nasty: the attacker sends it at 9:15am when everyone's logging in. "Session expired" doesn't feel unusual because sessions do expire sometimes.
How to fight it: Train your team to never click "Sign In" links in emails. If you think your session expired, open a new browser tab and go to office.com directly. Every time. No exceptions. We drill this into people until it's automatic.
For the MFA bypass: hardware security keys (FIDO2/WebAuthn) are immune to AitM relay because they verify the actual domain cryptographically. We help businesses roll these out.
2. The vendor invoice with new bank details.
Your accounts payable team gets a legitimate-looking invoice from a regular vendor with a note: "Please update our banking details for future payments."
The new details route to a mule account.
In one assessment, we found a Chicago manufacturing company that had been paying a fraudulent account for three months before anyone noticed. Three months. The real vendor eventually called asking why they hadn't been paid.
Three months of payments. Gone.
How to fight it: Out-of-band verification. Any request to change banking details gets a phone call to a number you already have on file. Not the number in the email. Make it policy. Write it down. We practice this in our training until your AP team does it on instinct.
3. The QR code in the physical mail.
This one is newer and it's clever.
Your business receives a physical letter, sometimes on what looks like official letterhead from a bank, the IRS, or a utility company. The letter asks you to scan a QR code to "verify your account" or "pay an outstanding balance."
The QR code goes to a phishing site.
But because it arrived in physical mail, people trust it more than they'd trust an email. There's a psychological barrier that says "if someone went to the trouble of mailing this, it must be real."
Attackers know this. That's why they did it.
We've seen these targeting restaurants and retail businesses in Chicago, disguised as health department notices and payment processor communications.
How to fight it: Same rule as email. Never scan a QR code from unsolicited mail. If you think the letter is legitimate, go directly to the organization's website by typing the URL yourself. Our training includes physical mail scenarios because the attacks aren't just digital anymore.
4. The AI voice clone call.
This is the one that keeps me up at night.
An attacker grabs a few seconds of your voice from a conference recording, a podcast, a YouTube video, even a voicemail greeting. They feed it into an AI voice cloning tool. Then they call your office pretending to be you.
"Hey, it's [your name]. I'm in a meeting and can't talk long. I need you to process a payment. I'll send the details by email."
Your employee hears your voice. It sounds like you. They do what you asked because it sounded like you asked them to.
The tools to clone a voice are free and need about 30 seconds of audio. This is happening nationally. It's a matter of time locally.
How to fight it: Establish a verification code word or callback procedure for financial requests. "Even if it sounds like me, verify before you move money." We help teams set up these protocols and practice using them until it's second nature. Sounds paranoid? Wait until you hear the demos we play in training. You'll understand why.
5. The LinkedIn recruiter.
Your HR department or hiring manager gets a message on LinkedIn from a "recruiter" or "candidate." They exchange messages, maybe have a call. Eventually the recruiter sends a "portfolio" or "resume" as a file.
The file contains a payload.
Or: the attacker poses as a candidate applying for a real open position on your website. They submit a resume that's actually a weaponized document. Your HR person opens it because reviewing resumes is literally their job.
This works because HR teams cannot do their jobs without opening files from strangers. The attack is perfectly disguised as normal business activity.
How to fight it: Open all candidate documents in preview mode. Google Workspace and Microsoft 365 both render files without executing embedded code. Never download and open an attachment directly. We train HR teams specifically on this because they're the most targeted group after finance.
The common thread.
Every single one of these attacks targets a person, not a system.
The firewall doesn't help. The antivirus doesn't help. A human being is being manipulated into taking an action that harms the business.
And here's the part that matters for your personal life too: these same attacks hit you at home. The fake Microsoft email lands in your personal Gmail. The QR code letter shows up in your home mailbox. The voice clone calls your family.
Our training builds the instinct to pause and verify in every context. Not just at work. Not just during business hours. The threat doesn't clock out. Neither should your awareness.
If reading this list made you realize your team wouldn't catch most of these, that's normal. That's where almost every business starts with us. The point isn't to feel bad. The point is to fix it before it costs you.
(773) 417-9994 or southsidechisolutions.com