PHISHING SCAMS | 6 MIN READ
In the 21st century, "junk mail" has gone from filling trash cans to filling inboxes (before you delete them, usually). Your mobile phone may also be receiving text messages from numbers you're unfamiliar with, some with active links you may be tempted to click.
Here's the problem: "phishing" is far more dangerous to your computers and devices than a wad of coupon sheets and grocery circulars - crammed in your mailbox - ever was.
While the occasional "too good to be true" mailer may have snared grandma or grandpa into buying something unnecessary, phishing scammers have gotten savvy enough to fool your workforce at their desks, too.
With that in mind, sometimes it's best to learn from the mistakes of others, so let's look back at the biggest phishing scams of 2021.
Not a lot of time? Skip to see what you need:
What Is "Phishing?"
If you have an email address, you've been targeted by phishing expeditions. The Oxford Dictionary established the term "phishing" in 2005, when more and more Americans were beginning to rely on personal and occupational email for rapid response communication.
Phishing, then is defined (from Oxford Languages) as "the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers."
The latest wrinkle? Targeting mobile phones, using text messages with hyperlinks capable of luring an unsuspecting target to allow malicious activity to take place on their device - including gaining access to contacts, login information, etc.
According to Wired.com, it's called "smishing," (a play on SMS messaging) and there's plenty to be wary of, but for the sake of focusing on your business, we'll stick to what has the greater likelihood of impacting your computer(s) and network operation - traditional phishing.
According to Verizon's Data Breach Investigations Report for 2021, 85% of all breaches involved the "human element" and 36% of all security breaches were by way of "phishing," up 11% from 2020.
Get this: Tessian Research revealed that employees receive - on average - 14 malicious emails per year.
There are several types of phishing, too:
- Spearfishing: targeting an individual employee, often using attached document(s) containing malicious code
- Whaling: targets higher-level employees, who have access to more sensitive data, resulting in a bigger windfall for cyber criminals
- Cloning: uses a popular brand as hackers will send what appears to be an email from that brand to bait unsuspecting victims who may click to a website that looks official where victims then provide coveted private information. The most impersonated brands include Google, DHL, Rakuten, Amazon, LinkedIn, Microsoft, IKEA, Chase and PayPal
- CEO Fraud: because everyone opens the email from "the boss," right? This tactic sees hackers pretending to be the company CEO, seeking valuable information.
Notable phishing scams of 2021
Below is a list of the most notable scams of 2021. It's important to note that even though 2021 is in the past, these scams are ongoing, today, and we can learn from the mistakes of others to better protect our data and finances.
It doesn't get much bigger; when 553 million Facebook users' phone numbers and other carious personal details were leaked on a low-level hacker forum last April. The breach itself occurred in 2019.
This brings up another valuable point - hackers often release information onto the dark web long after a breach has happened. This means that data within your organization may have been exposed for years before you even know of it.
Because of this, companies are looking for better IT solutions to protect their networks from these kinds of attacks in the future.
Covid Vaccines as Bait
John D. Rockefeller routinely said he sought to turn every disaster into an opportunity; Winston Churchill was known to have said one should never let a crisis go to waste. Suffice to say, as entrepreneurial or noble as they may have been, there are always those with nefarious intent.
Check Point researchers spotted a treasure trove of scams incorporating Covid-19 vaccines into malicious e-mails, seeking to take advantage of unwary recipients eager to get vaccinated.
Some included attachments capable of installing malware. In other cases, key loggers - computer programs that record a users keystroke to get access to things like passwords and confidential and/or personal information - are in those e-mails.
Covid Relief Fund Scams
Sticking with pandemic opportunism, BitDefender uncovered a scam aimed at DocuSign and SharePoint users using Covid relief funding as bait. This wasn't just a uniquely American issue, either; in fact, while the attack began in the U.S., Ireland, Sweden, the United Kingdom, Denmark, and Finland were targeted, too.
Who's Ready for a Vacation?
With more than a year of pandemic headlines, social distancing and lockdowns, folks are clamoring to travel as soon as that was possible, and hackers knew that and sought to take advantage. In fact, the threat intelligence group Webroot noted a 93% increase in "malicious Covid-related domains" relating to "travel," in April of last year.
Terms like "passport" (vaccine passports were hotly debated in early 2021, remember?) and malicious landing pages found using the words "cheap," "last minute, and "weekend" in travel queries began to dominate by spring and summer.
Playstation 5 Giveaway Scam
Gamers were growing more and more frustrated with their inability to secure a new Playstation 5 console, and a fake promotion and e-mail sought to capitalize on that. Researchers at Kaspersky spotted the bogus promotion, which lured impatient gamers to provide personal and often financial information to enter a contest to win a console.
Fake Microsoft/Office365 reCAPTCHAs
A Microsoft-themed phishing attack uncovered in March of 2021 targeted senior-level employees. According to ZScaler, the "attack is notable for its targeted aim at senior business leaders with titles such as Vice President and Managing Director who are likely to have a higher degree of access to sensitive company data."
This highly sophisticated scam baited execs with what appeared to be voicemail attachments that lead to a fake Google reCAPTCHAs that would eventually lead the victim to another fake page - an Office365 login where login information would be recorded.
How to avoid becoming a phishing victim
If you read through the 2021 examples and said to yourself "wow, I could've fallen for that one" at least once, you know how hard it is to avoid being scammed. There's no shame in that; hackers are smart and resilient.
A few simple steps to protect yourself from phishing include:
- Having security software on your computer(s)
- Installing anti-phishing toolbar on your search engine(s)
- Using multi-factor authentication on your accounts
- Backing up your data
- Check URLs before clicking a link - do this by hovering your mouse over the link when the URL will appear in the bottom left corner of your screen
- Getting wiser to phishing tactics through phishing education
Let's dwell on that last point; the schemes evolve and sprout up all the time. Being aware - and staying conscious of new wrinkles - will go a long way. "Think before you click" is a good rule of thumb.
There's plenty more to know and do - here's a handy list from Phishing.org.
Can Managed IT services help you avoid phishing scams?
The short answer is "yes," and even if managed IT assistance doesn't, it can certainly help you recover when an unsuspecting employee inevitably falls for a scam.
If you are a business, especially if you do not have any in-house staff to manage your cyber security, Managed IT services can help you avoid phishing scams, educate your staff about them, and if you do fall victim, to recover data. Managed IT services layers your cyber security infrastructure and then employs a team of IT experts to address any threats or issues that pop up.
To take the burden of staying on top of the latest phishing scam tactics and updating software off of your plate, a managed services provider can handle those updates for you and install necessary security patches.
Managed IT services can help you create a password policy and role-based security that works for your business, too. In the event that a ransomware attack happens or your network goes down, they can reduce downtime by quickly recovering data due to their use of frequent and secure backups.
How more questions about phishing or how to prevent phishing attacks?
Posted by Chris Gaines
Chris Gaines has been with Standard Office Systems as the Director of Managed Services for the past three years and has over 25 years of experience as a Network Administrator in the office technology industry. He has a passion for helping small businesses discover the best technology solutions for their specific needs.