Top Phishing Scams Continue to Improve and Grow

March 27, 2020

Much to our dismay, cybercrooks keep finding ways to better the phishing tools they have and find other ways to include new and sneakier methods of thievery. Organizations and individuals are targets and money, identities, credentials, and more are stolen from both every day. Even cyber-savvy users can get caught in phishing scams if they don’t pay close attention to the signs and signals that something isn’t quite right. Reviewing the most pervasive phishing scams is always recommended because an educated user can be the best tool against the many forms that phishing takes.

Email Phishing

It’s currently the most popular type of phishing lure that lurks in almost every inbox. Fake domain names and redirected URL’s are just a few ways phishing emails get opened and acted on. The subject line and content are designed to get a response and gain the trust of recipients by appearing legitimate. Sneaky crooks use every trick in the book to scam their way into your trust, hoping you’re not paying close attention to detail.

  • Closely examine URL’s, including spelling. Fraudsters transpose, add, and delete letters to sneakily misspell a web address that brings you to a bogus, exact duplicate website solely created to dupe users into believing it’s what they’re expecting to see. Subtle details like leaving the “s” off of “https” in the URL is another red flag.
  • Avoid following links or opening attachments in emails. Instead, type the true URL for the website yourself because links can easily and quickly redirect you to bogus websites and attachments can be loaded with malware. Be sure to not misspell the domain to avoid Typosquatting attacks detailed below.
  • Don’t trust, but verify email senders, especially before providing any sensitive information at work and at home.

Spear Phishing

It’s a twist on email phishing that directly targets the recipient by name, known interests, work relationships, friendships, and other specific details about you. Also another element of social engineering, scammers scour social media to learn about ways to target recipients and gain their trust. The public information is combined with data available from the many breaches and then it is weaponized against you to develop specific and targeted email attacks.

  • Limit the information you post on social media, such as Facebook and Instagram, as well as on LinkedIn, and other websites that spear phishers look to exploit.
  • Use two-factor authentication (2FA) or multi-factor authentication (MFA) whenever possible. Each layer of verification ensures the right person is accessing accounts and not someone claiming to be you.
  • Using artificial intelligence (AI) tools help alert when an account has been compromised.

Whaling

A type of spear phishing that targets those on upper levels of management and in control of funds. CEOs are not spoof-proof and are vulnerable to the same phishing tricks that target regular staff.

  • Verify Client Certificates are legitimate.
  • Set email filters to a level that flags suspicious senders, even before they make it to an inbox.
  • Financial transactions should have the highest levels of verification, including face-to-face verification tools.

Smishing and Vishing

Smishing uses SMS and text messages as the lure. The message usually comes with a legit-looking link, even including the first or last few numbers of an account you have in the text message. Assuming it must be legitimate is the first step to compromising your account numbers and other confidential information.

Vishing attacks are voice calls, many robocalls, that often seek to concern and scare recipients into responding with the desired confidential information.

  • Never answer a text or phone call from a sender you can’t verify before supplying any information.
  • Hang up and redial the phone number directly. Chances are you’re a vishing target.
  • Never respond directly to a text message that’s looking for information or follow links in the text.
  • Go directly to the true source yourself to verify the sender. Look up the real phone number or website URL and input it yourself. That way you can tell if your personal information is truly needed and a legitimate request.

Typosquatting

Also called URL or domain hijacking (do-jacking), typosquatting takes advantage of incorrect spellings for URLs, or typos a user makes without realizing it. Rather than use a browser to connect to websites, hackers are sitting on misspelled websites just waiting for a bite. The most minor deviations in spelling can bring you to a look-alike, spoof website, many of which disappear immediately after stealing your payment card and other information.

  • Check and double-check URL spellings before connecting. Making sure every character, hyphen, and apostrophe is in place can save a lot of headaches.
  • Use previously bookmarked sites when possible.

Angler Phishing

The latest and fastest-growing phishing threat that uses social media spoof sites to draw users into a providing information that’s easily stolen. They often masquerade as social media customer service account sites that ask for sensitive information, often threatening to close the account or take other action if the data isn’t provided.

  • Address account issues only on the official social media website.
  • Look for an official blue check mark verification symbol, like those found on Twitter and Instagram messaging when it makes sense the account should have one.