Reply-Chain Phishing: The Attack Hidden Inside a Conversation You Trust

Reply-chain phishing works because it does not look like an attack. It looks like part of a conversation already in progress - colleagues discussing a client matter, a proposal going back and forth, a thread that has been running for days. Someone in the chain sends a reply with a link to a shared document. The name is familiar, the context makes sense, and clicking through feels like the obvious next step.

That is how a reply-chain phishing attack works. It does not arrive as a suspicious cold email from an unknown sender. It lands inside an active conversation your team is already participating in, sent from an address they recognise and trust. Most people have been trained to look out for odd emails from strangers. Far fewer are watching for something that looks like a normal reply from a colleague.

The way attackers get into that conversation is straightforward. They compromise one person's email account - often through a reused or weak password, or through credentials stolen in an earlier breach elsewhere. Once inside, they can read the entire thread, understand the context, and craft a reply that fits naturally. They know the names of the people involved. They know what is being discussed. Their message does not need to be clever. It just needs to be plausible, and that is usually enough.

Business email compromise - where an attacker gains access to a legitimate email account and uses it to cause harm - is not a rare event. It is one of the more common ways that businesses end up dealing with ransomware, stolen client data, or fraudulent payment instructions. The reply-chain attack is a particularly effective version because it exploits the trust already built inside your team's communications. By the time anyone realises something was wrong, the damage is often done.

What does good protection look like? It starts with making it much harder for an attacker to get into an email account in the first place. That means multi-factor authentication on every email account - a second verification step that stops a stolen password from being enough on its own. It means a password manager so staff are not reusing the same credentials across different services. And it means regular, practical awareness training so people know to pause before clicking a link, even in a familiar thread.

It also means having someone actively monitoring your email environment. Attackers who get inside an account often sit quietly for days before acting, reading through past messages to make their intervention more convincing. Good email security monitoring can detect unusual account behaviour - logins from unexpected locations, forwarding rules that have appeared without explanation - before those accounts are used to attack anyone else.

The practical step is to treat email account security as something your business actively maintains, not something you set up once and leave. Passwords should be unique and managed properly. Multi-factor authentication should be on by default. Staff should know what to do if they suspect an account has been accessed - and who to call. If a breach does occur, CERT NZ at cert.govt.nz is the right first call for guidance on containment and reporting.

If you are not sure how well your email accounts are protected right now, ITstuffed offers a 15-minute IT Fit Check at /booking - a quick conversation to identify where the gaps are before an attacker finds them.