Although phishing scams have been around since the 1990s, the methods used by attackers have continued to evolve and develop so that they can remain one step ahead of users. These developments combined with a global increase in online activity have led to an influx in attacks, with phishing scams in the United States up 297 percent in 2018 compared to the previous year .
It is therefore crucial that consumers know how to spot a phishing scam and are able to adequately protect themselves from becoming yet another victim.
What Is a Phishing Scam?
Phishing scams attempt to get users to hand over personal information such as login credentials, bank details, or credit card numbers. They usually take place via email and involve scammers posing as legitimate, well-known companies or high-level individuals within the same company.
These emails can look authentic, with similar branding and typography, and may have a similar contact address to the company they’re impersonating. It is also common for scammers to set up fake sites for the companies they are impersonating which, if done well, can look scarily like the real thing. This makes it easy for individuals to be lulled into a false sense of security and pass over details without ever suspecting they may be going to a criminal.
How Can Scammers Get My Email Address?
There are multiple ways scammers can obtain your email address, the most prevalent of which are listed below:
- Buying it illegally
- Dishonest “subscribe” boxes
- Harvesting programs (which use bots that crawl and scrape sites for email addresses)
- Data brokers
Other Forms of Phishing Scams
Phishing attacks can also involve getting a user to download malware. Pharming is a form of attack that relies on this method. A user will download malware that has been disguised as an urgent update, attachment, pop-up, or even PDF. This downloaded malware will then redirect the user to a fake version of a legitimate website they are trying to access. This is done in the hope that the user won’t notice the site’s illegitimacy and will give away their details when prompted.
Vishing is another form of attack which revolves around a phone call with the scammer themselves. They may contact you requesting that you urgently pass over personal information. If this happens, find and call the listed customer service number for the company they claim to be from and alert them of the request you have received. They will be able to tell you whether or not it was legitimate.
Smishing is a form of phishing scam that uses text messages to lure users into giving away personal information. These text messages will usually be sent through an online service and will contain links to fake websites. If you receive a text from a number you do not recognize which contains a link, or claims to need your personal information, ignore it.
Phishing Trends to Watch Out for in 2019
- Search Result Hijacking
Though email still remains the dominant mode of phishing attack, search result hijacking is becoming increasingly common.
Search result hijacking occurs after a user has accidentally downloaded malware. The malware alters a user’s browser settings so that they are forced to look at ads, paid links or give up personal information. In this way, malware can redirect a user from a legitimate company website to a fake one before asking for personal details.
2. Topically Relevant Campaigns
Email campaigns can be based on recent events in order to take advantage of people’s excitement, confusion or both. In 2018, this method was used by attackers to great effect with the onset of GDPR.
A lot of businesses and individuals were unsure how the new legislation would affect them. This made it easy for attackers posing as legitimate businesses to request the handover of personal details, claiming it was necessary in order for them to remain GDPR compliant .
3. Software Targeting
Webmail and SaaS products were the top targets of phishing scams by the end of 2018 . This may seem surprising, given that Office and G Suite credentials do not offer the same immediate profitability as a user’s bank details. However, if a scammer is able to obtain an employee’s Microsoft Word details, they can effectively gain access to the files of an entire organization and send further phishing scams to its employees.
4. Messaging Services
It is only logical that phishing scams would evolve from targeting emails to instant messaging services such as Slack, WhatsApp, and Facebook Messenger.
These services are generally misconceived as safer than email, when in fact they lack basic security measures such as malware scanning. Consequently, they have become prime hunting ground for attackers looking to take advantage of users who have wrongly placed their trust in these services.
How to Avoid Falling Victim to a Phishing Scam
As technology has continued to develop, so has the tenacity and inventiveness of hackers. This means that staying safe online is no longer just a matter of ignoring emails from suspicious senders. Other, more preventative measures need to be taken.
Here are some current tips for avoiding phishing scams in 2019:
- If you receive an email that requests “urgent” private information and you are unsure whether to trust it, check directly with the company requesting the information. They will be able to tell you if they genuinely need anything from you.
- Never download anything without fully understanding what it is you are downloading, especially if a download request has appeared as a pop-up on an insecure site (non-HTTPS). If in doubt, do not download it as it may contain malware.
- To avoid being targeted via an email address harvesting program, do not advertise your address online in a way that can be copied (i.e., [email protected]). If you need to display your email address online, display it in the following format: “name (at) server (dot) com”. This will make it unreadable to bots but clear to users.
- Do not pass over email addresses to sites through credentials or subscription boxes that you are in any way unsure about. They may exist purely to harvest personal data for malicious targeting.
- Do not trust that a message is legitimate because it has been sent via a messaging app. These apps are just as likely to be targeted by scammers as your email address, meaning that all strange links and messages you receive should be viewed as suspicious.
While following these tips should help you avoid a phishing scam, they are by no means the only steps you should take to protect your online data. There are a multitude of other threats out there which need to be adequately protected against.
One security tool that will further protect your data is a VPN (Virtual Private Network). A VPN will encrypt your connection and prevent it being monitored or compromised. This will stop you falling victim to Man in the Middle or snooping attacks, which are common on public WiFi networks and allow an attacker to intercept data in transit and steal your personal details.
Some VPNs also offer malware protection. This makes them capable of protecting against malware-driven phishing scams that could otherwise hijack search engine results and divert you to an illegitimate site.
Though some phishing scams are easy to spot due to bad grammar and obscure wording, it is important to remember that hackers are only becoming more sophisticated and well disguised.
Being skeptical of requests for personal information, whether you receive them via email, messenger, text or phone call, is a must. It is also a good idea to stay up-to-date with the latest scam trends so that you will be able to spot any different forms of attack as they emerge.
By remaining cautious and following these tips, you should remain well protected against phishing scams.
Is Penetration Testing Your Next Career Move?
Now that you have understood ‘what is penetration testing’ it is obvious to understand why the demand for professionals is so high. Trends like remote work, cloud security, and work from home culture have motivated many organizations to test the resilience of their internal and external networks. As an IT professional or an aspiring cybersecurity professional, you have a chance to enter the next phase of your career by considering a calling as a penetration testing professional.
Certified Penetration Testing Professional by EC-Council covers the latest tools and techniques important for a foolproof pen testing process. The program will train you to analyze the most complex of IT infrastructures and resolve vulnerabilities before it is too late. To know more, visit our course page today!
Sources https://eu.usatoday.com/story/money/2018/10/24/investigation-online-phishing-attacks-up-297-percent/1741033002/  https://www.zdnet.com/article/phishing-alert-gdpr-themed-scam-wants-you-to-hand-over-passwords-credit-card-details/  https://www.marketwatch.com/press-release/apwg-report-phishers-shift-efforts-to-attack-saas-and-webmail-services-2019-03-04
About the Author
Katherine Barnett is a researcher at Top10VPN, a leading VPN review website and digital privacy research group. You can find her on Twitter @thekatbarnett!