What if you received an email about transferring your Kakao account? Check this first.
Recently, a phishing email disguised as an official Kakao account transfer notification has been identified. The email attempts to instill anxiety by claiming that the user’s Kakao account is scheduled to be transferred, and prompts the user to click on the “Verify Account” link included in the body of the message. If a user enters their email address and password on the linked phishing page, the entered credentials may be transmitted to an external server controlled by the threat actor. In this article, we’ll examine the phishing tactics used in these Kakao account migration emails and the precautions users should take.
It Looks Like a Login Page, but Its Purpose Is Information Theft
Kakao accounts are linked to messaging apps, portals, and various online services, making them a frequent target for threat actors. ASEC recently identified Kakao-disguised phishing emails targeting individuals associated with North Korea. These phishing emails were disguised as Kakao account transfer notifications to instill anxiety in users and trick them into clicking a link in the body of the email under the pretext of “account verification.” Phrases that urge users to take action—such as “account migration,” “usage verification,” and “security verification”—are keywords frequently used in phishing emails.

[Figure 1] Body of a phishing email that disguises itself as a Kakao account migration notice
However, clicking the hyperlink embedded in the text redirects users to a phishing site that mimics the Kakao account management site. The phishing site displays fields for entering an email address and password; if users mistake this for a legitimate account verification process and enter their information, their credentials may be transmitted to third parties. Since threat actors use the logos and guidance messages of actual services to lower users’ suspicion, one should not judge whether an email is legitimate based solely on its design.
Things to Check on a Phishing Page
If you’ve opened a login page via a link in an email, do not enter your information immediately—even if the screen looks familiar. In particular, procedures that appear to be account transfers, password resets, or security checks may actually be steps designed for credential theft.
Therefore, on pages requesting sensitive information—such as your account, password, or verification code—you should first verify that the domain in the address bar matches that of the official Service. If you have any doubts, do not use the link in the email directly; it is safer to access the site again through the official app or website.

[Figure 2] Example of a phishing page
Phishing page exploiting a legitimate website’s Path
In this case, the phishing page was not hosted on a typical free hosting site but was found to be a compromised web server of a legitimate, actively operating website. It appears the threat actor compromised the legitimate website and created the phishing page within that server to avoid arousing the user’s suspicion.
In such cases, users can be deceived even if the URL does not contain a completely unfamiliar domain or a suspicious-looking string of characters. This is because if the phishing page appears to be part of a legitimate website’s Path, users are more likely to trust it.
Therefore, even if the page layout looks familiar or the address appears to be one you recognize, you must always verify that it is the official Service address before entering your login credentials. In particular, if a page requests sensitive information such as your account, password, or verification code, it is safer to access it through the official app or website rather than clicking directly on a link in an email.
Account Information Encoded and Transmitted Externally
Analysis revealed that the phishing page contained code designed to transmit the email account and password entered by the user to an external server. The information entered was converted into an unrecognizable format during transmission and then sent to an external server controlled by the threat actor.
It is difficult for ordinary users to verify these internal operations directly. The key point is that phishing pages are not merely designed to display a fake login screen; they can be engineered to actually collect and transmit the information entered by the user. Therefore, you should exercise even greater caution when accessing login pages opened through links in email bodies.
Measures to Protect Your Kakao Account
If you receive an account-related notification email, you should check the following:
1) Verify the sender’s address
Even if the sender’s name appears as “Kakao Team” or “Kakao,” you must verify that the actual email address belongs to the official domain. Since the sender’s name can be easily disguised, you should not assume the email is legitimate based solely on the displayed name.
2) Do not click links in the email body immediately
If an email asks you to verify your account or password, hover your mouse over the link to check the actual URL first. If you have any doubts, do not click the link in the email; it is safer to access the Kakao account management page directly through your browser or the official app.
3) Check the URL before entering login information
Even if the screen looks like the Kakao account management page, you must verify that the domain in the address bar matches the official Service. Do not enter your account information if the URL contains an unfamiliar domain, an unnecessarily long URL, or a Path that makes no sense.
4) Check for HTTPS and the padlock icon
Before entering sensitive information, verify the page’s security certification (HTTPS, padlock icon), and never enter any information if you have any doubts.
5) Change Your Password Immediately If You’ve Entered It
If you have entered your account information on a phishing page, you must immediately change your password on the official Kakao account page. If you use the same password for other services, check those as well, and it is recommended that you enable additional security measures, such as two-step verification, if possible.
6) Delete suspicious emails or forward them to your security team
If you receive such an email through your work email, do not click any links or open any Attachments on your own; instead, report it to your company’s internal security department. Even if you receive it via your personal email, it is safest to avoid clicking links or entering any information.
This incident is a phishing attack in which the threat actor exploited a familiar brand and account notification messages to manipulate user behavior. Messages claiming that an account is being transferred can easily trigger anxiety in users, and screens that appear to be legitimate account verification procedures can trick users into entering their login credentials.
However, the more an email appears to be an account-related notification, the more carefully you should verify it. Check the sender’s address and the actual URL first, rather than focusing on the email’s design, and always enter your login information only through the official app or website. This simple verification habit is the most basic defense against account hijacking.