Phishing has been around for a long time and has always proved an effective way to con people out of money and steal personal information. However, as our technological landscape has evolved, the phishing scams that we are seeing are increasingly more advanced and deceptive.
The attackers have honed their skills and adapted their scams to con as many people as they can across a range of different platforms. Kaspersky Lab noted a 59% increase in phishing attacks in 2017, and this figure is only expected to rise. The simple reason is because phishing works.
It’s low cost and high return on investment has made it had a very lucrative way to defraud people. Despite a greater general knowledge about phishing, millions are still falling for phishing scams on a daily basis.
The best way to avoid falling for a phishing scam is to know what they look like and what methods are used to target victims. Below are some of the most commonly used phishing scams used to target users across the world:
1. Deceptive Phishing
Deceptive Phishing is the most frequently used type of phishing scam. The aim of each phishing attack is to trick a victim into disclosing confidential information and it's typically carried out by impersonating a legitimate company or reputable source. These phishing emails often create a sense of urgency, so the user feels compelled to reply to the email as soon as possible.
In recent years, phishing scams have become increasingly more sophisticated and difficult to spot. Spelling mistakes and grammatical errors often alert users to the presence of a phishing scam, but today’s phishing emails are well crafted and often difficult to distinguish from the real deal.
Deceptive phishing emails take many different forms, but most will try and trick a user into resolving an account issue such as updating payment information or preventing closure of an account by clicking on a link. As soon as a victim clicks on a link, they are often directed through to an almost identical fake site that will steal their personal and financial information.
Deceptive phishing attacks often imitate big brand companies such as PayPal, Netflix, Apple and Amazon, as there is a higher chance of more people falling for the scam. Users should always be wary of emails with a generic greeting, urgent and threatening language, spelling mistakes, a mismatched URL, or requests for personal information.
2. Spear Phishing
Some of the biggest cyber-attacks in recent years have all started with a single spear phishing email. Spear Phishing is a more targeted attempt to steal sensitive information and typically focuses on a specific individual or organisation. A lot more thought and time will go into the crafting of a spear phishing attack and the fraudsters will try to find out as much information as they can about their victim to make the emails appear as legitimate and convincing as possible.
They will often turn to company websites and social media to research their victims and once they have a better understanding of their target, they will start to send personalised emails designed to trick their victim into divulging sensitive information.
Spear Phishing attacks can take many different forms. Some will try and get a victim to click on a link that downloads malware, others may request login details, or they may be directed through to a site that contains advertisements or keylogging software.
Traditional security measures can prove totally ineffective at detecting spear phishing emails so it’s vital that users remain vigilant to this attack method and double check the validity of any emails they believe to be suspicious.
3. Social Media Phishing
There has been a steep increase in the number of phishing scams carried out on social media. A recent report from RiskIQ found a 100% increase in phishing attacks taking place across social media platforms. Social Media Phishing is when attackers use social media sites such as Facebook, LinkedIn or Twitter, to trick users into clicking on malicious links or revealing personal information.
Social Media sites are proving to be a lucrative hunting ground for attackers as they can find a wealth of information about potential victims before launching a targeted attack. Users will also tend to be more trusting and less suspicious about links within messages on social media, leaving them more vulnerable to attack.
With consumers increasingly interacting with brands through their social media channels, fraudsters have been quick to take advantage of this online relationship to launch fake accounts impersonating major brands. Research from Proofpoint found that 19% of social media accounts appearing to represent top brands were all fake.
For increased protection against social media phishing scams, users should always use enhanced privacy settings, don’t click on suspicious links, never accept friend requests from someone you’re not familiar with, and be careful about sharing too much personal information.
Image: Fake Facebook link
4. Malware Based Phishing
Cyber criminals use a range of phishing attacks to steal personal and financial information, and malware-based phishing has proved an extremely effective way to target victims and launch large scale cyber-attacks.
Malware based phishing is when an attacker sends an email attachment or downloadable file that once clicked, will infect a computer with a virus, ransomware or other malicious programmes. This is exactly what happened in the infamous WannaCry attack that affected more than 200,000 victims in 150 countries after their computers were infected with the malicious software.
Users need to be extremely cautious about clicking on links or opening attachments in emails from unknown sources.
5. File Sharing Scams
File Sharing services such as Google Docs and Dropbox have become a very effective way to target users with phishing scams. The sites are frequently used by businesses, so they tend not to get blocked and are in turn used as bait in phishing attacks.
In 2017, around one million Google Docs users got hit with a phishing scam that stole their personal details after they clicked on a phishing link. Victim’s received an email saying: “xxx has shared a document on Google Docs with you”, this in turn lead users to a fake Google login page. The scam appeared entirely legitimate as it was hosted on Google’s servers, but as soon as users entered their password, they were redirected through to a malicious third-party site.
It cannot be stressed enough, that users should always be extra vigilant about clicking on links and downloading attachments from unknown sources. Two-factor authentication can also be used to provide an extra layer of defence in protecting the security of online accounts.
Despite the increasing sophistication of phishing attacks there are a number of ways you can protect yourself online. MetaPhish has been specifically designed to protect businesses from phishing and ransomware attacks and provides the first line of defence in combatting cyber-crime. Get in touch or further information on how we can help your business.