Phishing has gotten lean and mean, and, in some cases, diabolically clever.
By now, most of us know better than to trust that marvellous Nigerian fellow who needs you – and only you – to receive all this money just found.
So much of phishing, the art of extracting personal financial information from people online, and then stealing their money, or in convincing people to send them money, is so obvious, that we delete and forget immediately.
But the attackers have evolved some truly diabolical techniques, and one has to be truly careful.
One of the meanest recent ones involves Covid-19 benefits. The attacker formats an email just like those of the labour ministry, and then asks for your financial information.
Black Friday, around the world, is a day celebrated particularly by phishing artists working with fake Amazon emails – the number of these rises by 45 per cent just before and on that day, according the cybersecurity firm Webroot.
But Amazon is popular with phishing attackers all the time. It is easy for them to offer amazing deals which many simply respond to because of the great bargain offered.
It’s easy for phishing attackers to make use of PayPal emails in the same way. As PayPal use involves a lot of email correspondence, the opportunity is there.
There is usually an element of urgency in phishing attacks. “Please reply without delay;” “we need your reply in time to complete preparations…”
This is always a good warning sign: Watch out for subject lines that include “Urgent Request, Important, Payment or Attention, according to Symantec’s recent report.
Urgency is a particular character of so-called whaling attacks. These are addressed to busy top executives. They look like authentic internal emails, but they actually instal malware that leads to financial crime. The executives share sensitive information because they are too much in a hurry.
Then there is spear phishing, as it is called, is the new art of making a phishing attack truly personal: About one-third of all attacks target just one person. The rest target fewer than ten people.
Obviously, the attacker has already used his/her hacking skills to gather lots of info about the target.
Did you just apply for a job? The attacker will have hacked the HR department at the company you applied to. You then receive an email telling you that you are on the short list for the position, but must pay a fee to an employment agency that is managing the selection.
The fact that the attacker knows you just applied gives the whole thing a credibility that you would not ordinarily accredit to a message of this type.
If that doesn’t sound convincing, consider that a company recently forked over $40 million to a spear fishing scheme. Emails arrived with the names of senior executives that directed employees to send funds from a subsidiary in Hong Kong to accounts belonging to third parties. The emails actually came from the fraudsters and the funds were not seen again.
Employees had no reason to doubt the authenticity of the emails. It happens in an increasing number of these scams.
Email is the most frequent way in that phishing attackers use. First they gather information about the company – small firms are particularly vulnerable. Then they circulate what looks like an internal document, with the right format – it could be a plan for a project or a schedule. When employees click on the plan, malware is installed on the system, and the financial withdrawals begin.
Because phishing attacks have become personal, they can be devastating. Take the proper precautions – it can happen to anyone if the phishing attack just pushes the right buttons.