phish·ing

/ˈfiSHiNG/

noun

the practice of using fraudulent e-mails and copies of legitimate websites to extract financial data from 

computer users for purposes of identity theft

What Is Phishing?

Phishing is the method of attempting to get personal and sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy party such as popular shopping, social, banking/financial sites, even IT administrators. By casting a wide net through mass emails, the hope is that one or two trusting individuals will click on the malicious link and provide the sensitive info.

Phishing is one of the easiest forms of cyberattacks to execute, and it’s also one of the easiest to fall for. These attacks have spread beyond suspicious emails to phone calls (vishing), SMS/texting (smishing), social media, and apps. A basic phishing attack attempts to trick the target into doing what the scammer wants. Two top examples include providing passwords to make it easier to hack a company or account or altering bank details so that payments go to fraudsters instead of the correct account.

Phishing is also a popular technique for cybercriminals to deliver malware, by enticing victims to download a document or visit a link that will secretly install the malicious software such as ransomware that will lock users out of their devices or access to files, holding them hostage, until a sum of money or ransom is paid.

In the hands of fraudsters, all of that personal information can be used to carry out scams like identity theft or using stolen data to buy things or even selling people's private information on the Dark Web.

How easing is Phishing? This easy…

According to Help Net Security, 90% of successful cyber-attacks occur through email-based attacks.

• 1 out of 2 employees opens and reads phishing emails
• 1 out of 3 employees clicks links or opens file attachments in phishing emails
• 1 out of every 8 employees shares the information requested in phishing emails

How has Phishing Evolved?

Some phishing campaigns remain incredibly obvious to spot with poor grammar, misspelled words, or how about the one about the Nigerian prince that wants to leave his fortune to you?? Recently, the emails have become so advanced that it's practically impossible to tell them apart from authentic messages. Some might even look like they come from an account such as Netflix, Amazon, and LinkedIn or some look like they’re from your friends, family, or even your boss.

Current Phishing Threats

In early 2020, phishing emails related to the COVID-19 pandemic start running rampant. Popular themes include stimulus checks, fake CDC warnings, working from home, and more.

From Netflix scams to Microsoft Windows Updates, these phishing emails look so realistic that users would think it's the real thing. 

Let’s take a look at a few…

1. Microsoft Updates

Microsoft 365, Office 365, and other Microsoft programs continue to be a go-to for cybercriminals and phishing email attempts. The outcome could be to install malware, or to gain your log-in credentials to then work out a Business Email Compromise scam also known as CEO Fraud.

Microsoft Critical Vulnerability Update Phishing Email with Link

Microsoft AntiSpam PRO Update Phishing Email with Link

2. Well Known Service Membership’s

More often than not, phishing emails impersonate a well-known service such as Netflix, Amazon or Apple, in an attempt to harvest payment information or login credentials. Urgent words such as “account on hold” or “canceled” are an attempt to get you to act quickly without hesitation.

Netflix Phishing Email

Amazon Phishing Email

Both Amazon and Netflix have information on their websites on how to report a phishing email.

3. Requests for Donations from Fake Charities

Sadly, cybercriminals will take advantage of any new and unfamiliar situation to steal people's personal information and scam them out of money. With so many natural disasters occurring, from wildfires to hurricanes and tornadoes or the COVID-19 pandemic, donation scams remain a top resource for scammers looking for free cash.

A one-man-outfit operating as the Black Lives Matter Foundation raised millions of dollars this spring despite the fact that his charity is not connected to the Black Lives Matter movement, causing the New York Attorney General to step in.

Donation Phishing Email using the Australia Fires

4. Presidential Election

We’ve seen plenty of headlines outlining the attempts of hackers to influence the 2016 and 2020 presidential elections. Cybercriminals have taken advantage, posing as political volunteers attempting to register voters or solicit donations. In these vishing scams, the "volunteer" will ask for donations to a candidate/political party with a credit card number or will ask for personal information such as a Social Security Number in order to fill out a voter registration form.

Phishing emails from fake political action committees urge folks to “click here to make sure you’re registered to vote”. According to Tessian, 75 domains spoofing websites related to mail-in voting were registered between July 2^nd to August 6^th. For some the lure is information about voting-by-mail, voter registration, or political donations, others are for ballot tracking. All the while their goal is to get your personal information, name, address, phone number, social security, and even credit card details.

Voter registration over the phone is not permitted. To be safe, perform a Google search of the name of the political action committee (PAC) for verification before providing any personal information.

Top Clicked Phishing Emails

According to KnowBe4’s quarterly report, the top clicked social media phishing emails are from LinkedIn with the following subjects referenced.

• You appeared in new searches this week!
• Please add me to your LinkedIn Network
• People are looking at your LinkedIn profile
• LinkedIn Password Reset

KnowBe4’s reports and data come from millions of phishing tests run per year.

Click below to see the full infographic.

KnowBe4 Q4 2020 Top-Clicked Social Phishing Email Subjects

How to Avoid Being Fooled by a Phishing Email

Do not click on any links. If you hover your mouse over the email address and the link the full email address and URL will appear allowing you to check for legitimacy. Better yet, go to the site directly and log in separately of the email.

Do some research, make sure the organization or contact reaching out is legitimate. That way you can be sure attackers aren’t trying to steal your details. 

Teknologize is a Managed Service Provider with clients throughout the Pacific Northwest with offices located in the Tri-Cities and Yakima, Washington 509.396.6640 and Bend, Oregon 541.848.6072.