Phishing Scams In 2022

Phishing Scams In 2022


Directors Report: This Premium article is exclusive to Premium subscribers. For unrestricted website access please Subscribe: £5 monthly / £50 annual.


Phishing is a type of social engineering attack, which is often used to steal user data, including login credentials and credit card numbers. Phishing describes a set of activities in which a scam artist attempts to get you to divulge sensitive personal information through various forms of deception. 

This happens when an attacker, often pretending to be a known employee or friend and who are masquerading as a trusted connection, tricks a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a link, which often leads to the installation of malware that closes the system as part of a ransomware attack. 

Once obtained, the scam artist will use or sell your information to enrich themselves or use it to bolster more advanced scamming strategies. Most phishing campaigns embed links to landing pages that steal login credentials or emails that include malicious attachments to install malware. A popular current method is for hackers to impersonate cyber security companies in callback phishing emails to gain initial access to corporate networks. 

Microsoft has disclosed that a large-scale phishing campaign targeted over 10,000 organisations since September 2021 by hijacking Office 365's authentication process even on accounts secured with multi-factor authentication (MFA). "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," the company's cyber security teams published in a report.

“Phishing remains to be one of the most common techniques attackers use in their attempts to gain initial access to organisations.” 

However, over the past year, threat actors have increasingly used "callback" phishing campaigns that impersonate well-known companies requesting you call a number to resolve a problem, cancel a subscription renewal, or discuss another issue.

Bitcoin’s enduring popularity and peak valuation in 2021 has only encouraged attacks on crypto exchanges, the use of crypto mining malware, scams and malware targeting crypto-currency wallets. From fans of the K-Pop band BTS being tricked into following crypto-related Twitter handles to fake initial coin offerings (ICOs), the popularity of crypto currency provides scammers with many opportunities.

With ransomware attacks up 32% on businesses and 38% on individuals from last year, companies that fail to use security tools or properly configure their VPNs could be especially at risk. Compared to past scattershot approaches, there is a concerted effort by cyber criminals to go after larger, more valuable targets by using advanced techniques like deep-faking audio from employees, managers, and executives. 

Other examples of trending cyber crime include fake delivery to acquire personal information, sextortion scams that prey on the target’s guilt and social standing, and ever-classic tech support scams. 

Phishing Comes In Different Forms

Phishing scams are often focused on a large group because at least one member will be tricked into placing themselves on the “hook”. However, rather than focusing on a particular target, basic phishing casts a vast net by using tools such as emails with malicious attachments included, social media messages, SMS, phone calls, and even creating fake websites for companies and organisations. 

Once the prospective victim opens the corrupted file or link, the scammer uses this opportunity to obtain personal or financial information, download malware onto their PC, steal their identity, and so on.

Spear Phishing

Much like the previous analogy on phishing, spear phishing requires a lot of dedication and a single-minded focus on your target. Ideally, by the time your quarry is aware of your intentions, it's already far too late to react. 
However, as opposed to the comprehensive approach taken by generic phishing, spear phishing involves an extraordinarily realistic and well-crafted effort to compromise the information security of specific individuals or organisations. 

Furthermore, spear phishing scams can be exceedingly difficult to detect and stop because of the effort to make them appear as plausible and credible as possible.

Whaling

Whaling is a highly targeted phishing attack, aimed at senior executives, masquerading as a legitimate email. Whaling is digitally enabled fraud through social engineering, designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds. Whaling does not require extensive technical knowledge yet can deliver huge returns. As such, it is one of the biggest risks facing businesses. 

Whaling emails are a form of social engineering which aims to encourage their victim to take secondary actions such as:   

  • Clicking on a link to a site which delivers malware
  • Requesting a transfer of funds to the attacker's bank account
  • Requests for additional details about the business or individual in order to conduct further attacks

When considering the level of wealth and influence of a given whale, it is improbable that even more technologically advanced tactics like faking email addresses or creating a fake website will be successful. So instead, a common tactic is getting the whale to submit an artificial tax form full of priceless information, including Social Security numbers, bank account details, addresses, legal names, and much more.

Initially whaling emails were not much harder to identify than their less targeted phishing counterparts. However, the adoption of fluent business terminology, industry knowledge, personal references and spoofed email addresses have made sophisticated whaling emails difficult for even a cautious eye to identify. 

Highly targeted content is now combined with several other methods which executives should be aware of to reduce their chances of falling victim to a whaling attack. Crucially all these developments either exploit existing trusted relationships, or combine a cyber attack with non-cyber fraud tactics.

Vishing

Vishing, is a combination of phishing and phone scam which is designed to get you to share personal information. In 2018, phishing crimes cost victims $48 million, according to the FBI’s Internet Crime Complaint Center.
Vishing involves using voice over Internet protocols to spoof phone numbers from family, friends, loved ones, businesses, government officials, and more. Through impersonating such figures, scammers will attempt to get the victim to divulge valuable information, purchase gift cards or money orders, raise bail money, collect on owed back taxes, or any number of other pretences. Unfortunately, many victims of this tactic tend to be either getting older in years or simply unfamiliar with digital technology, leaving them vulnerable to phishing scams that rely on their emotional connections. 

This tactic is commonly used for short-term financial gain and long-term projects like identity theft, making vishing a valuable tool in the scam artist's toolbox.

During a vishing phone call, a scammer uses social engineering to get you to share personal information and financial details, such as account numbers and passwords. The scammer might say your account has been compromised, claim to represent your bank or law enforcement, or offer to help you install software. Warning: It's probably malware. Vishing is just one form of phishing, which is any type of message, such as an email, text, phone call or direct-chat message, that appears to be from a trusted source, but isn’t. The goal is to steal someone's identity or money.  

It’s getting easier to contact more people, too. Scammers can place hundreds of calls at a time using voice over Internet protocol (VoIP) technology and can spoof the caller ID to make the call appear to come from a trusted source, such as your bank.

'Sugar Daddy' Exploits

Sugar daddy scams are an increasingly common con where men pose as sugar daddies online in order to access young women’s bank accounts and steal their money. The sugar daddy exploit takes advantage of an existing system. This also involves older, richer people who identify as sugar daddies or mommies. These people want to use their riches to find companionship.

Sugar daddy scams can also be designed to exploit women in precarious financial situations or those looking to achieve an otherwise unobtainable standard of living. 

Primarily carried out on social media platforms, these cyber criminals open conversations with prospective victims by offering a weekly or monthly allowance for companionship. However, before they can begin to receive such an allowance, the victim must first share information for their Venmo, PayPal or other online payment accounts and deposit a sum in the scammer's account for "verification." 

This scam can be awful for the victim who may not seek any assistance due to the illicit or embarrassing nature of such relationships. As a general rule, it’s safe to assume that whenever something seems to be good to be true, that’s usually the case. 

Here are a few additional steps that you can take to prevent yourself from being scammed.

Don’t answer messages from people you don’t know. If you’re in doubt, look into their profile to see if there's anything fishy about it.

Ignore any messages promising free money. Plain and simple.

Don’t give your personal details to strangers. You wouldn’t do it in person, so why do it on the Internet?

Do your research. If you’d like to validate any message that you receive, there are plenty of resources from other people who have encountered similar types of scams. Read through forums and relevant online groups to obtain more information.

Sextortion Email Fraud

Much like the previous category of scams, sextortion is notorious for the disastrous real-world consequences it can wreak, including several cases of suicide involving victims of just such a blackmail scheme. Like vishing, sextortion depends on the victim not being familiar with technology and relies on social engineering techniques to intimidate victims into giving up valuable information or making regular payments. 

This scam generally starts with an email containing digital footage or images of the victim using their webcam, screenshots of their computer screen, and other compromising pictures and information. 

Schemers convince the victim that they own the photos or recordings and threaten to send them to their friends, family, and employers or start spreading them across various social media platforms. These scams are almost always bluffing, but many victims are unwilling to risk refusing their demands when facing 48-hour deadlines to pay blackmail or be exposed.

Crypto Currency Scams

Regardless of the long-term performance of the crypto-currency market, one indisputable fact is that scammers will soon follow where crypto-currency goes. Prominent examples of these scams include spoofing tweets from major crypto promoters to infiltrating entire communities built around crypto-currency before robbing them blind. 
Fortunately, one of the easiest, and cheapest, ways to avoid falling for a crypto-currency scam is to use thoughtful judgment. Other effective scam prevention methods include the use of multi-factor authentication services for online crypto wallets and avoiding conducting trades via your mobile device.

Tips For Avoiding Phishing Scams

As antivirus and anti-malware protections continue to strengthen and improve, phishing scammers are forced into becoming equally creative in their attempts to separate you from money, valuable data, and even your identity. 
Although the exact methods vary from scammer to scammer, there are commonly used tricks that phishers will employ using email and SMS:  

  • Sending you a spoofed message from a legitimate company saying there is a billing issue.
  • Unprompted “Reset Your Password” emails.
  • A random text message with attachment claiming you have money from your latest tax return.
  • Account cancelation notifications pending the confirmation of your personal details.
  • Fake forms, surveys, and invoices to encourage you to list valuable information.
  • Free giveaways and coupons for expensive goods and services

Fortunately, there are things you can do in your daily online activities to help prevent yourself from being phished, including:

  • Taking a moment to examine the email or message for any misspellings or the lack of a business greeting.
  • Ensuring that your smartphone, PC, tablet, or other electronic devices are setup for automatic security updates.
  • Purchasing robust antivirus and anti-malware software for protecting valuable data.
  • Using multi-factor authentication wherever possible to reduce the likelihood of your accounts being compromised.
  • Creating backups of your data using external hard drives or cloud computing services.
  • Never sending information like your credit card number or Social Security card via email or text.
  • Not clicking on suspicious links or opening attachments on unexpected emails, and using spam filters.

Report Scams

Like many forms of intimidation, frauds like these are most effective when their victims are too afraid or embarrassed to speak out. However, by having the courage and bravery to share your story with others, you can help prevent it from happening to someone else. 

If you have been a victim of cyber criminals or online scammers, Avast has excellent resources to help you report the scam to the relevant authorities in both the US and UK so you can get the help you deserve. In the United States, you should start by reporting a phishing scam to your local police department to determine if a particular region is being targeted. In Britain the first step is to report the crime to Action Fraud.

Depending on the type and scale of a phishing scam, it will likely be necessary to involve the relevant local law enforcement authorities to report the fraud. 

References:

Avast:     Avast:   Avast:    Microsoft:   Microsoft:   

Bleeping Computer:     Bleeping Computer:     

The Hacker NewsNCSC:     Norton:     

MakeUseOf:    Grazia Daily:  

You Might Also Read: 

Cyber Security is Now Business Critical (£)


 

« Data Protection Must Be a Part of Every Cyber Security Strategy
Cyber Attack On London Crypto Exchange »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Quantivate

Quantivate

Quantivate is a provider of web-based Governance, Risk, and Compliance (GRC) software and service solutions.

Oodrive

Oodrive

Oodrive is the first trusted European collaborative suite allowing users to collaborate, communicate and streamline business with transparent tools that ensure security.

Rosberg System

Rosberg System

Rosberg System solve the security challenges with connected devices on mobile networks by providing encrypted communications solutions.

CRU Data Security Group (CDSG)

CRU Data Security Group (CDSG)

CRU is a pioneer in devices for data mobility, data security, encryption, and digital investigation.

Thinkst Applied Research

Thinkst Applied Research

Thinkst is an Applied Research company with a deep focus on information security.

Quokka

Quokka

Quokka (formerly Kryptowire) is the source for mobile security and privacy solutions, staying steps ahead of the threat and delivering peace of mind.

Intuity

Intuity

The Intuity suite of services provides companies with a complete awareness of their security status and helps them in an efficient, efficient and sustainable improvement process.

iProov

iProov

iProov delivers authentication and verification simply and securely, based on a genuine one-time biometric.

Data Theorem

Data Theorem

Data Theorem is a leading provider in modern application security. Its core mission is to analyze and secure any modern application anytime, anywhere.

Quantum Security

Quantum Security

Quantum's game-changing approach to cybersecurity brings you performance and peace-of-mind, with a raft of additional benefits: it's non-proprietary, comprehensive, scalable, and affordable.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

Airnow Cybersecurity

Airnow Cybersecurity

Airnow Cybersecurity provide digital cybersecurity services and solutions for organizations and app publishers.

Fluid Attacks

Fluid Attacks

Fluid Attacks specialize in red team operations as well as technology development that continuously enhance our security testing services.

Advantio

Advantio

Advantio offers a unique combination of technologies and managed, advisory and testing services to increase your cyber resilience and compliance.

Digitale Gründerinitiative Oberpfalz (DGO)

Digitale Gründerinitiative Oberpfalz (DGO)

Digital Founder Initiative Oberpfalz's goal is to build a sustainable start-up culture in the field of digitization throughout the Upper Palatinate district of Bavaria.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.