Could You Outsmart a Phishing Scam?
We’ve all had it happen. You receive an email telling you that you’ve won a prize draw you never entered or a foreign prince wants to transfer you a huge sum of money and needs your bank details. These obvious scams can be spotted from a mile away and are what we tend to think of when we think of phishing, but it’s not always that apparent.
Over the years, phishing scams have become harder to detect and many have fallen victim as a result. Research has found that one in every 3,722 emails in the UK is a phishing attempt, and nearly 55% of the UK’s total email traffic is spam. In fact, around half of cyber attacks in the UK involve phishing, which is roughly 20% higher than the global average. In the Government’s 2021 Cyber Security Breaches Survey, this number was much higher with businesses who had experienced cyber attacks reporting that 83% of these attempts were phishing attempts.
If phishing has been around as long as we’ve had email, how is it that these stats are so high? How do we keep falling victim? Surely we should know better by now? The truth is, these scams aren’t always as easy to spot as we might assume and as we’ve wised up to these attempts, those behind the attacks have gotten smarter as well. Could you really outsmart a phishing scam if faced with one?
Top Trends in Phishing Scams
While you may be able to discern that an email containing a plea for help from a cash-strapped foreign diplomat is a scam, today’s phishing scams are becoming so complex they are often indiscernible. If you received an email from your manager asking you for information or assigning you a task, would you question it or just do as you’re told? If a retailer like Amazon sent you a message saying there was a problem with your payment method, would you click the link and update your details to ensure your Prime membership continued without a hitch? Or if a vendor you regularly work with sent a message to say your organisation had an outstanding balance, would you apologise for the oversight and sort out payment immediately?
Today’s phishing schemes may not be elaborate, but they are often effective because they so closely mimic the types of correspondence we tend to never think twice about. Attackers have begun targeting their attacks more effectively by disguising them as facets of our everyday lives. That is what makes them so much harder to spot than the scams we’ve come to know, and why so many individuals and organisations fall victim to phishing each year.
Even if you think you’d be able to outsmart an attack, you can never be too careful. These are some of the top trends with phishing scams to be aware of:
- Business email compromise (BEC) attacks: In these scams, the attacker creates a domain similar to the company they’re targeting or spoofs their email address in order to con users into releasing information or taking some sort of action. Basic versions of these attacks that have been popular in recent years involve the attacker posing as someone in a managerial position and instructing an employee to purchase gift cards for a charitable endeavour or event. In more complex versions, BEC attackers may use the actual inbox of the person they’ve compromised rather than impersonating them, or they may pretend to be associated with a third-party contract that requires to payment. Regardless of the form they take, these types of attacks are some of the most common enterprise cyber security threats.
- ‘Whaling’: Often, BEC attacks are facilitated by a phishing practice called whaling. These attacks specifically target high-level executives in the business to gain access to their credentials. Rather than being a request from someone else in the organisation, often the content of these scam emails will be written as a legal subpoena, customer complaint, or other issue that would be of high importance to a senior executive. This may provide the financial information the attacker is after, give access to the login details needed for a BEC scheme, or create the opportunity for a ransomware attack.
- Payment scams: Beyond impersonating individuals within the organisation, it is becoming increasingly common for attackers to pose as the business’s vendors, which makes it easy to operate a payment-focused scam. In an invoicing phishing scam, the attacker sends an email stating that you have an outstanding balance with a known vendor or company. In similar payment scams on an individual level, the attacker may pose as a retailer you often shop with and notify you that there was a problem with your purchase. In both scenarios, the attacker will provide a link for you to remedy the situation all whilst capturing your details.
- Spear phishing: While payment scams do require some knowledge of the business’s vendors or the individual’s shopping habits, phishing schemes can get even more personal. Spear phishing uses highly customised content to lure the target of the attack to interact. This intricate form of phishing typically requires the attacker to do a fair amount of reconnaissance work, usually by surveying social media and other information sources related to their intended target. The result is a message that seems far too credible to possibly be false, with a phishing link or malware-infected attachment included.
- Current events-focused scams: Attackers will often take advantage of the news cycle to shape their scams. For example, Ofcom received reports of numerous scams related to coronavirus throughout the pandemic. These included calls and texts claiming to be from the Government, the recipient’s GP, the NHS, or the World Health Organisation (WHO) that usually claimed to have test results, vaccine sign up information, or even cures for the virus. Mere days after the Omicron variant began making the news in early December 2021, consumer watchdog Which? reported a scam involving messages doctored to look as though they came from the NHS offering free PCR tests for the variant. But it’s not just the news that scammers act on. It is not uncommon for phishing scams to use current pop culture trends to their advantage. For example, when Netflix’s Squid Game was released and trending, several phishing scams emerged offering targets the chance to play an online version of the series’ titular competition. While this type of scam may not work on everyone, it would certainly appeal to fans.
What to Do
Phishing scams have certainly become more realistic, but there are some very simple steps you can take to avoid them. These practices may seem a bit like common sense, but lack of attention to detail is exactly what these attackers prey on. Becoming a bit more tuned in can go a long way for protecting yourself and your organisation.
For starters, if you receive an email that claims to be from someone you know, work with, or have access to normally, it is always worth confirming that they were the true sender if they have asked you for information or to complete a task that seems a bit odd. It is also worth checking the email address of the sender when you receive emails. We tend to take the sender’s displayed name at face value without looking at the actual email address the message came from, thus letting these scams slip through the cracks. You would be surprised how many of these attackers spoof their sender name without doing anything to the email address itself.
You would also be surprised how many attackers make other simple mistakes that undermine the believability of their schemes. An email from Amazon, the NHS, or any other major organisation would never contain a typo or grammatical error, so it’s safe to assume that any mistakes like this are a red flag.
Of course, having the right security infrastructure can help make it harder for attackers to gain access. You need to have the right software in place if an attack should slip through your first line of defence. This is where Razorthorn can help. We offer various services to help build and protect your infrastructure including phishing education for staff, phishing solutions and managed phishing services. Get in touch to learn more.