Phishing scams have been around for as long as the internet, and have been considered a serious threat for close to two decades. However, the techniques that scammers use are constantly changing. It’s important, both on the individual and the company level, to stay up-to-date with new phishing scams and techniques that cybercriminals use to commit their crimes.
Since the first phishing scams were launched online, this kind of scam has been all about volume. Phishing scammers focused on targeting large numbers of people—the idea being that while only a small proportion of people fall for the scam, the volume of attempts made ensured that enough people were taken in to make the scam worthwhile.
These days, phishing scammers are also becoming more sophisticated in their techniques. Phishing attacks are becoming more targeted, and more specific to their victims. This means, of course, that it’s harder for victims to spot that they’re being targeted by scammers.
Phishing Scams to Watch for in 2019
The core of any phishing scam is an attempt to get the target to give out personal information such as bank account information, account login details, or credit card numbers. Historically, phishing scams have usually been initiated via email. However, as users have become more cautious about their email habits, scammers are starting to target people in other online locations. Email is no longer the only point of vulnerability.
Corporate credentials attacks
Webmail and software products, including Microsoft and Google products, are top of the list of phishing scam targets. If a scammer can obtain the Microsoft login data of just one employee, they can potentially gain access to the files and data of an entire organization.
For this reason, email-based corporate credential phishing attacks are rapidly becoming commonplace. These are phishing attacks that involve the use of fake or compromised login pages. In the corporate world, common targets include Office 365, OneDrive, and LinkedIn login pages.
Like the name suggests, this kind of phishing is a much more specific kind of operation, in comparison to email-based phishing. Spear phishing is about selecting a single target—either an individual or a company—and focusing efforts on compromising that target. To do this, they tailor email messages, for instance by impersonating an employee, to trick the target recipient into handing over sensitive information.
Current events-related scams
Scams that are based on current events. For instance, when GDPR was enacted, scammers posed as legitimate businesses, requesting sensitive corporate information, claiming it was needed to ensure the company was compliant.
New apps equal new targets
The increasing popularity of messaging apps such as Facebook Messenger, Slack, and WhatsApp have given phishing scammers new locations for finding and targeting their victims. Many users mistakenly think of messaging apps as safe from scammers, but nothing is further from the truth. These messaging apps have very little in the way of security measures, so it’s important for users to be cautious in how they use them.
How to Avoid Becoming a Target
The internet, the technology driving it, and the people who use it, are all far more sophisticated than ever before. But so are the cybercriminals who develop and launch phishing scams online. It’s harder to stay safe online these days and spot phishing emails, as internet users must do more than ignore suspicious-looking emails. The following measures can help employees avoid being taken in, keeping both themselves and the organization safe.
Private information requests
Any email that requests private information should be viewed with caution, especially if the email is marked “urgent” or otherwise asks the recipient to act quickly. These emails use a sense of urgency to induce the recipient to take action without thinking critically about the email.
Instead of providing the information immediately, contact the relevant company directly and find out if the request is genuine.
Download links and requests
Both emails and websites can contain malicious download links that purport to contain important information. Malicious download links typically contain malware of some kind; for instance, viruses that record keystrokes—allowing a scammer to steal sensitive information such as credit card or bank account numbers.
Whether it’s within an email or on a website, users should not download anything unless they’re confident that it’s safe. If in doubt, don’t click the download link.
Email harvesting scams
Some scams “harvest” email addresses using bots that scan websites looking for text that uses the classic email format of firstname.lastname@example.org. Avoid this scam by writing email addresses as name [at] server [dot] com or something similar. People can read and understand it, but bots won’t recognize it as an email address.
It’s also important to be cautious about providing email addresses when they’re requested, for instance in email subscription boxes or credentials requests. Don’t provide email addresses if you’re in any way unsure about the origins of the request.
Be wary of messaging apps
Messaging apps are increasingly targeted by scammers, so it’s important to be just as cautious with instant messages as you are with emails. Download links should be treated with care, especially if they’re unsolicited. And, any download links that come from unknown senders should be avoided.
If you’re concerned about vulnerability to phishing attacks, contact ACUTEC today.