Email phishing attacks continue to plague companies of all sizes, with over 75% of organizations reporting that they experienced an attack in 2017, and nearly half stating they believe the rate of attacks is increasing. Phishing, of course, is when a cyber-criminal sends emails designed to trick someone out of money or confidential information, either through a link to a phony website, or by posing as a trusted individual and requesting it (you can read more about the four most common methods and how to avoid them in our recent story). Here are eight of the most popular phishing scams currently being executed.
Top 8 Phishing Scams Happening Now
1. Account Notification
The most common phishing scam, account verification, is when you receive a phony email designed to look as if it came from a popular retailer like Walmart, or social network such as Facebook, complete with corporate logos to make it more convincing. The email will inform you that there is an issue with your account that needs to be taken care of immediately, and provides a link to fix the problem. Clicking the link takes you to a fake website that mimics the one you’d normally log in to. Once you’ve plugged in your username and password, the cyber-criminal has your information and can use it to log in to your real account and make purchases or cause havoc.
2. File Sharing
You’ve probably shared or received documents with co-workers in the past, or perhaps photos with friends or family. Most file sharing occurs in the cloud on sites such as Dropbox, Google Docs, or Office 365, but there are others, such as Snapfish. In this scam, cyber criminals send an email posing as one of these services, stating that someone you know is trying to share a file. Of course, once the link is clicked, your login information is stolen, or a virus infiltrates your computer.
3. Package Delivery
Similar to an account notification scam, this is when you receive an email from a delivery service such as FedEx or UPS, again with official-looking logos, and a convenient clickable link. The email will tell you that a package is being delivered to you, or that you’ve missed a delivery, and that you should click the link for more details. Once you’ve logged in, the criminal has access to your information (variations on this involve an attachment which, when opened, infects your device with malware). This scam is especially popular around the holidays, when people tend to receive many packages.
4. Fake Invoices
Rather than including a link in an email, this scam sends an “invoice” attachment, claiming that you or your company owes money. It’s not uncommon for fake invoice scams to threaten legal action, or disconnection/discontinuation of a service. Of course, it’s not a real invoice, and clicking it unleashes malware into the system.
5. Tax Fraud
No one wants to cross the IRS, especially during tax season, and this phishing scam is banking on that. In the months leading up to April 15, scammers will send a phony, IRS-looking email claiming you owe taxes and are facing fines, liens against your property, or even imprisonment if you fail to pay up. This tactic is designed to steal money and personal information. Per the IRS website, it’s important to understand that “the IRS doesn't initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.”
6. Donation Solicitation/Charity Scams
Considered the lowest-of-the-low, donation solicitation and charity scams take advantage of tragedies—as well as people’s goodwill. In the aftermath of any major event—this could be a hurricane, a terrorist attack, or any number of things—scammers claiming to be from a disaster relief fund or the Red Cross will solicit donations to aid “victims”. It usually begins with an email, and includes a link to a phony site where donated money goes right into the scammers’ duplicitous hands.
Some may call this attack ransomware because money is demanded, but this scam doesn’t encrypt your data and require payment for its release; instead, a phishing email is sent stating that the hacker has discovered compromising photos on your computer, or inappropriate websites in your browser history, and will release this information to family, friends, and colleagues unless payment, often in bitcoin, is received. This scam is fear-based, banking on the email recipients having visited an inappropriate site or possessing incriminating photos.
8. Event-Specific Attacks
Most phishing scams are evergreen, but more and more fraudsters are taking advantage of specific events and trends by developing “of-the-moment” phishing emails that catch people off guard. Here are three event-specific attacks that were popular in 2018:
GDPR phishing. When the European Union’s General Data Protection Regulation (GDPR) was coming into play, scammers sent emails stating that in order to comply with the new regulation, companies needed to update their privacy policies; malicious attachments or links with information on how to do so were, of course, included.
World Cup phishing. Sponsors of the Cup—and there were a lot—were notified that they were to receive prize money for their support. To collect the reward, personal information was required, and then subsequently stolen.
Political phishing. Russian voters received fake emails promising a reward for filling out a survey that was in the email. Bank or credit card information was needed to receive the reward, and once this information was supplied, the bank account was cleaned out, or the credit card was maxed out.
Unscrupulous scammers are preying on the innocent, so don’t be fooled—and be sure to review phishing scams with employees to ensure malware doesn’t get near your network. Again, you can find prevention techniques in our previous phishing story, and if you’re interested in the security of a predictable cloud provider, and protection from malicious attacks, contact the experts at DSM to learn more and schedule a free security vulnerability assessment.