Could You Outsmart a Phishing Scam?

Top Trends in Phishing Scams

While you may be able to discern that an email containing a plea for help from a cash-strapped foreign diplomat is a scam, today’s phishing scams are becoming so complex they are often indiscernible. If you received an email from your manager asking you for information or assigning you a task, would you question it or just do as you’re told? If a retailer like Amazon sent you a message saying there was a problem with your payment method, would you click the link and update your details to ensure your Prime membership continued without a hitch? Or if a vendor you regularly work with sent a message to say your organisation had an outstanding balance, would you apologise for the oversight and sort out payment immediately?

Today’s phishing schemes may not be elaborate, but they are often effective because they so closely mimic the types of correspondence we tend to never think twice about. Attackers have begun targeting their attacks more effectively by disguising them as facets of our everyday lives. That is what makes them so much harder to spot than the scams we’ve come to know, and why so many individuals and organisations fall victim to phishing each year.

Even if you think you’d be able to outsmart an attack, you can never be too careful. These are some of the top trends with phishing scams to be aware of:

• Business email compromise (BEC) attacks: In these scams, the attacker creates a domain similar to the company they’re targeting or spoofs their email address in order to con users into releasing information or taking some sort of action. Basic versions of these attacks that have been popular in recent years involve the attacker posing as someone in a managerial position and instructing an employee to purchase gift cards for a charitable endeavour or event. In more complex versions, BEC attackers may use the actual inbox of the person they’ve compromised rather than impersonating them, or they may pretend to be associated with a third-party contract that requires to payment. Regardless of the form they take, these types of attacks are some of the most common enterprise cyber security threats.

• ‘Whaling’: Often, BEC attacks are facilitated by a phishing practice called whaling. These attacks specifically target high-level executives in the business to gain access to their credentials. Rather than being a request from someone else in the organisation, often the content of these scam emails will be written as a legal subpoena, customer complaint, or other issue that would be of high importance to a senior executive. This may provide the financial information the attacker is after, give access to the login details needed for a BEC scheme, or create the opportunity for a ransomware attack.

• Payment scams: Beyond impersonating individuals within the organisation, it is becoming increasingly common for attackers to pose as the business’s vendors, which makes it easy to operate a payment-focused scam. In an invoicing phishing scam, the attacker sends an email stating that you have an outstanding balance with a known vendor or company. In similar payment scams on an individual level, the attacker may pose as a retailer you often shop with and notify you that there was a problem with your purchase. In both scenarios, the attacker will provide a link for you to remedy the situation all whilst capturing your details.

• Spear phishing: While payment scams do require some knowledge of the business’s vendors or the individual’s shopping habits, phishing schemes can get even more personal. Spear phishing uses highly customised content to lure the target of the attack to interact. This intricate form of phishing typically requires the attacker to do a fair amount of reconnaissance work, usually by surveying social media and other information sources related to their intended target. The result is a message that seems far too credible to possibly be false, with a phishing link or malware-infected attachment included.

• Current events-focused scams: Attackers will often take advantage of the news cycle to shape their scams. For example, Ofcom received reports of numerous scams related to coronavirus throughout the pandemic. These included calls and texts claiming to be from the Government, the recipient’s GP, the NHS, or the World Health Organisation (WHO) that usually claimed to have test results, vaccine sign up information, or even cures for the virus. Mere days after the Omicron variant began making the news in early December 2021, consumer watchdog Which? reported a scam involving messages doctored to look as though they came from the NHS offering free PCR tests for the variant. But it’s not just the news that scammers act on. It is not uncommon for phishing scams to use current pop culture trends to their advantage. For example, when Netflix’s Squid Game was released and trending, several phishing scams emerged offering targets the chance to play an online version of the series’ titular competition. While this type of scam may not work on everyone, it would certainly appeal to fans.