Phishing is often written off as a problem exclusive to big organizations. Indeed, the most elaborate and targeted phishing attacks usually aim for access to organizations' networks or for fraudulent money transfers. However, when we look at the raw numbers, many of the largest phishing campaigns are targeted at the public, impersonating services used in everyday life outside the business context.
The pandemic has shifted everything towards a more remote approach. Many of us work by remote, go to school by remote, do our shopping by remote, and spend our free time in greater isolation. This has increased the usage of online services for the masses, which has at the same time created many new possibilities for malicious actors.
1. Streaming services
Malicious actors are usually after money in one way or another. So, what could they possibly want with our Netflix accounts? To skimp on paying a subscription fee?
The goal is actually much more nefarious. The video below shows a credential harvesting page spoofing a Danish Netflix page. It requests the user enter their email or phone number, and password. Next, it requests the user to fill in their banking information, even checking that the input matches the requested data. Lastly, it requests the user log in using their NemID, a Danish method for strong authentication used widely in online banking and governmental services.
With all the information harvested by this site, the malicious actors gain access to the victim's Netflix account, along with their banking information and strong authentication information. One credential harvesting attack gives the malicious actor access to the victim’s bank accounts, taxes, and other public services.
Every stolen credential has a price tag on the dark web. A Netflix account alone might net the malicious actor around $40 USD on the dark web. Credit card detail prices vary depending on the account balance, with the median being around $50 USD. Online banking logins fetch around $100 USD. These credentials would add up to almost $200 USD for one successful phishing attack.
Sadly, many do not consider accounts like these to be as at-risk as business emails or banking information. Passwords to accounts like these are also often reused or left weak, for example to be more easily shareable with e.g. friends and family.
Below is a real phishing message impersonating Spotify, with a very similar credential harvesting flow behind the link.
2. Package delivery phishing
Package delivery phishing has been around for a long time. Brands like DHL and FedEx are amongst the most impersonated in the world. This type of phishing is often warned about on the internet and even in the news. However, when the phishing message arrives at just the right time, even the most careful of us can fall for the phish. As everything has moved to a more remote approach, those right times when we are expecting a package to arrive are far more common.
Malicious actors have also begun to impersonate smaller, more regional package delivery services. This targeted approach increases trust in the intended victim. In the images below are some recent examples of package delivery phishes making their way around the world.
From the Canada to Germany to the Emirates, the common element between package phishing is that a package can’t be delivered due to a missing payment. Another common approach is a failed delivery, therefore requiring you to choose a new time. Guess what happens when you click the link or enter your credentials to get the fictitious package? Spoiler alert: something bad.
3. Banking phishing
Banking is another extremely prevalent theme in phishing campaigns. It feels like every time I open my online banking app, I get a popup of a new phish to watch out for. Where there is money there is crime.
Lately, a common approach in banking phishes has been asking for “know your customer” data. Know your customer guidelines (KYC for short) are set to prevent businesses from being used by criminals for money laundering. To ensure this, financial services are required to ask their customers to verify their identities. This is a very convenient approach for malicious actors to step in and impersonate, as many are aware of these types of requests being sent legitimately.
Read more about banking phishing here!
4. Tax phishing
In the old days, there were only two things you could count on in life: death and taxes. But during tax season nowadays, you can pretty much count on getting phished, too.
Malicious actors just love the possibilities this theme opens. Taxes are not fun, they elevate stress levels, there’s lots of documents to find, more forms to fill out, and different pages to visit. What better environment for a malicious actor to strike than that?
Here’s a few examples of recent tax-themed phishing campaigns making the rounds in the wild. A common approach here is tax refunds. Just click this link and you’ll soon receive your tax refund! In the Danish example, the credential harvesting site is a copy of its legitimate counterpart, further increasing the feeling of legitimacy.
Read more about tax phishing here!
5. Advance fee scams
Good old advance fee scams. Usually aiming to weaponise the recipients feeling of empathy and greed. A great investment opportunity! An unclaimed inheritance! Usually these emails talk about money in the millions, or even billions. For many of us, these are ridiculously easy to identify as phishing, but sadly, the internet is full of stories where people have lost all their savings to scams like these.
Staying off the hook
Malicious actors are usually trying to use your own emotions against you. Most of these messages seem pretty easy to recognise as malicious, but in the heat of the moment, they might slip past your guard.
- Take your time. Disarm the attack’s emotional fuse by trying to objectively analyse the email without emotions. If you feel strong emotion, take a breather for a minute or two and then review the message from a different perspective.
- Look closely. Remember to check the sender address when you receive an email. The address might contain small changes such as changing the domain from .com to .net or adding something extra to the name.
- Beware of a fake badge. Real authorities' official websites often use some kind of digital authentication service to identify you - they don’t straight up ask for your sensitive information like your social security number when you first enter the website. Phishing sites do.
Hoxhunt response
We are seeing what experts have predicted: The fighting in Ukraine contains an unprecedented cyber war dimension. Fallout will seep into inboxes around the world. Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Also learn how to equip your employees with the awareness training that will protect your company from phishing scams.
Pop quiz: What is the most meaningful security training metric? If you said "failure," you just failed. But that's OK! Failure is a misleading metric. We analyzed 1.6 million users' responses to 24.7 million phishing simulations to bring infosec leaders a host of insights into phishing training. The findings are pretty wild, and extremely useful. Click here or on the image above to read more!
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt