Hackers have upped the ante with this targeted attack, using personal phone calls in addition to traditional emails.
It begins as a regular phishing email to people with financial roles, such as an accountant or a CFO, said Anne O'Neill, regional head of Symantec's small business division.
The scary part, said O'Neill, is that even if you think the email is suspicious and don't click on it, you haven't escaped the attack.
The second part involves some social engineering, said O'Neill. "The criminals pretend to be a vendor of the [targeted] company and will convince you that you have a payment due on an old invoice," said O'Neill. The victim gets a follow-up email with an attachment disguised as the invoice.
If you click on the attachment, it will install malware on your computer. "Now the hackers can get information such like the login and password for bank accounts and steal funds," said O'Neill.