Cybercrime is on the rise and the types of phishing scams are evolving, our ability to identify them has never been more important in both protecting ourselves, but also the organisations that we are part of. There are many types of phishing scams with many different tactics employed, in this article we look at some of the main phishing scams used by the criminals, the intent or nature them and advice on how to deal with them.
What are phishing scams?
Phishing is the general term for all scams that aim to obtain sensitive information in a fraudulent way, whether that is by email, telephone, text or social media.
This is the most common form of the phishing scam; essentially, a criminal will create an email that mimics a real email from a large organisation and will send out thousands of emails in the hope that a few will click on a link.
While the return can be very low, the actual effort, time and resources employed by the criminals is also very low.
This is a targeted form of the normal phishing email, whereby some of the practices associated with a traditional phishing email are employed. The criminals will already have some information about the target, such as name, job title, email address and other specific information.
The criminals will utilise this additional information to gain trust and increase the likelihood that a link will be clicked or an attachment opened.
This type of attack will be subtle as the criminals will have had to work to gather the base information and determine an email design that would generate the penetration that they require.
The ultimate aim would be to infiltrate systems and networks to gather information that would ultimately allow them to extort money from the organisation that the individual is part of.
Whaling or CEO fraud
This is by far the most targeted and subtle of email phishing attacks. The level of information that the criminals will include are the same as spear phishing, but may also utilise current partner relationships, whether that’s a supplier or a charity.
The criminal’s tone of voice would be significantly better than the standard phishing email, employing business terminology, with urgency, and in some cases, following up with a telephone call to the target. All with the simple aim of disarming the target from checking the email completely.
Clone phishing involves sending a near identical email utilising a legitimate email that the receiver would expect to see. The false version of the email would ask the target to click on a link or open a document that is malicious, or transfer funds to a different account than normal.
This is a common threat in the house buying process. Criminals would intercept the email chain and redirect the payment process. Conveyancing companies and solicitors tend to be the main target, as multiple transactions occur. The criminals would sit on the email account watching for the opportune moment to gain the biggest return.
The criminal in this instance has already breached an organisation and therefore has access to a lot of information.
Catphishing or catfishing
Catphishing is ever so slightly different from catfishing (and not just the spelling). Catfishing is related to the duping of an individual with romance/friendship for money. The criminal will create a false identity and target individuals, connect to the person with a believable story, backed with false evidence. Once the mark is invested then the scammer will start making requests, often with a heart wrenching story.
Catphishing will also create a false person, but the aim is to gather information from a mark within an organisation, in order to target bigger prizes. Again, the scammer will engage and have the mark invest in their background.
Voice phishing or vishing
Vishing is another form of phishing except it’s over a telephone. Essentially the criminal is either after personal information that can then be used to steal either your money and/or identity or access your computer to install malicious software.
The scammer will pretend to be from a large organisation, government, bank or Microsoft. In most cases, none of these organisations would generally call you, so beware. The call might be automated, asking you to press 2 to unsubscribe. Don’t! This is often used to verify that a person maybe a target.
Vishing scams can also be used in conjunction with other forms of scams; this form of social engineering creates a greater chance that the target will provide the required information or conclude the desired action.
It is therefore important to always be wary and question who and why you have been contacted.
SMS phishing or smishing
Smishing, not the greatest of names, but it is another form of phishing that utilises text messaging. The danger here is that people tend to trust a text message. The sender has the capacity to mask their number with a name, and because of the use of URL shorteners it can be almost impossible to verify where the link is going.
This is a case where it is better safe than sorry; unless you know the person that sent the text always err on the side of caution.
This involves the criminal pretending to be a customer service account on social media, this is a relatively new form of phishing.
The criminal will create an account very similar to an organisation’s social media account in name, then would copy the content from the real account and begin responding to customer complaints of that organisation, asking for account details etc.
Because of the nature of social media, individuals are unlikely to always interrogate what they see and a lack of experience of this type of situation means that people are unaware of the tricks that criminals have employed.
How do you keep yourself safe?
With all phishing campaigns the criminals are hoping that you do not fully interrogate the messaging system that has been employed.
Additionally, as the stakes increase for the criminal, the subtler the social engineering behind the scam becomes. The position that you hold within an organisation will determine the level of social engineering the criminals will employ.
Fundamentally, you should be asking yourself these four key questions:
is the sender?
- What is the email address, telephone number, social media account?
are you receiving this message?
- Is money or financial information involved or are you being asked to click a link.
- Did you expect this email?
- Is this urgent?
Take a look at our article about how to spot a phishing scam, which includes examples of all the basics to look for.
Security Awareness training
Train your team to identify phishing attacks with our Security Awareness Training.
Our unique two stage training program firstly educates your team, and secondly sends out simulated phishing attacks.
Other articles you may be interested in…
Spotting a phish
Phishing is the most popular form of cyber crime. It’s scam form that has been around for years from the comical prince to the current COVID-19 disguise.
Cybersecurity Awareness Month: 5 essential top tips you need to know for a secure password
When it comes to remembering things, humans can be pretty rubbish at retaining information. Increasingly in our lives we rely more and more on technology to assist us in the form of smart assistants and wearables to…