Phishing: Growing and Getting More Sophisticated

Email phishing continues to be one of the biggest threats to data security, fraud, and identity theft. In addition to being the most common form of cyberattack, phishing is also becoming more sophisticated and threatening.

Phishing generally works in one of three ways:

• An email will come with an infected attachment (typically a photo-file format or a PDF) that, when opened, will infect your computer with malware.
• The phishing attempt will tell you to click on a link that asks for a password or tries to download malware that will infect your computer or electronic device; or
• Attempts to scare or intimidate through a message, often personalized, that threatens blackmail unless you pay the cybercriminal directly.

Phishing emails are successful because they often impersonate popular brands or prey on a guilty conscience. It has become the most successful form of cybercrime.

Ultimately, though, if something doesn’t look or sound right, it probably isn’t. So, before you fall for a bogus email that asks you to reset a password, renew a subscription, or log into an account, take a moment to review some suggestions so you don’t get caught in a phishing scam. You don’t want to become a victim of fraud, lose money, or have your identity stolen.

Also, read on to take a quiz to see how well you can spot email phishing.

Recognize phishing emails

In order to avoid phishing emails, you must first be able to recognize them. Cybercriminals are employing smarter techniques and getting much better at making phishing emails tough to recognize or differentiate from legitimate emails. Companies or individuals can employ all the safeguards or artificial intelligence they want. But, as Quinn Norton noted in his September 2018 story in The Atlantic about the internet’s most successful con, “Phishing doesn’t attack computers. It attacks the people using computers.”

The website TechRepublic.com also said that, “[E]nd users are often the weakest link in the security chain. Social engineering attacks—typically in the form of phishing—continue to be a popular mode of attack for cybercriminals, especially for those targeting individual users rather than large corporations.”

And it’s only getting worse:

• Phishing attacks saw a major rise in the third quarter of 2018, increasing by 27.5 percent to reach over 137 million.
• There was a 297 percent increase in Q3 2018 in the number of false retailer websites designed to “phish” for customer credentials.
• One in every hundred emails is a hacking attempt, likely to deliver malware, conduct spear-phishing, commit fraud or other activity conducted by cybercriminals.
• 91 percent of cybercrime starts with an email.

The reason it is so important to recognize or be suspicious of phishing is that of emails with malicious intent, only 10 percent come with infected attachments to gain access to a user’s computer. The other 90 percent impersonate a trusted sender to try to trick the user.

Phishing impersonates popular brands

A recent report said these are the 10 brands that are most often impersonated in phishing emails in North America:

1. Microsoft
2. Netflix
3. PayPal
4. Bank of America
5. Chase
6. DHL
7. Facebook
8. Docusign
9. LinkedIn
10. Dropbox

Moreover, the report said one of the big takeaways is that financial services firms represented nine of the 25 brands most likely to be spoofed by phishers.

So, it is especially important to note that Nuvision Credit Union will NEVER ask for sensitive information via email, text message, or on a call that you don’t initiate.

SEE: Personal and sensitive information that Nuvision will never ask over the phone, via email, or text.

[INCLUDE THE LINK TO THE SEPARATE BLOG POST ENTITLED: NUVISION’S FIGHT AGAINST FRAUD AND IDENTITY THEFT]

Phishing attempts to blackmail

If you’re like many people, you may have received an email that attempted to blackmail you. Those blackmail phishing attempts can be extremely convincing, especially because they often included personalized information.

For example, the sending email address can include your own name or make it appear that it came from your own account. The subject or email text might include your name and a password or login information that you have used in the past or still use.

Most tellingly, these type of phishing attempts, sometimes known as webcam blackmail or sextortion scams, are centered around threats to reveal embarrassing or illegal information about you. The email will say that the information was gained from access to your computer or phone webcam or microphone, or from emails or instant messaging.

In short, they prey on those with a guilty conscience.

Of course, it’s not true

Some of these emails will say it has video of you visiting or using pornographic websites, for example. Or the email will say that it will say that it captured inappropriate conversations or interactions you had with a coworker, or at a convention, or at a hotel. Don’t be surprised if you receive an email that begins or includes:

 

[Former or current password] is one of your passphrases. Lets get straight to the purpose. Nobody has paid me to investigate you. You may not know me and you're most likely wondering why you are getting this email?

 

Starting with a former or current password makes the email all the more threatening because it will actually state a former or current password. However, given the massive amount of data breaches and information exposed on the dark web, it is fairly simple for a cybercriminal to acquire login and password information for hundreds of thousands, if not millions, of accounts.

 

After detailing alleged use of pornography or an extramarital affair, the scam will go on to say that you have two options:

 

First solution is to skip this email. in this instance, i will send out your very own tape to just about all of your contacts and thus imagine about the awkwardness you will definitely get. Keep in mind should you be in a romance, exactly how this will affect?

 

The other option, not surprisingly in a blackmail attempt, is to send money to someone. Often, remittance is requested via Bitcoin or other digital or electronic currency. It also includes a warning not to go to the authorities.

if you are thinking of going to the law, well, this e-mail cannot be traced back to me. I have taken care of my actions. i am also not trying to ask you for a lot, i just like to be compensated. if i don't get the ‌bi‌tco‌in‌, i will definately send out your video recording to all of your contacts including friends and family, co-workers, and so forth. Having said that, if i receive the payment, i'll erase the recording immediately. This is the non:negotiable offer so do not waste my personal time & yours by responding to this email.

 

Of course, the threat and the illicit information is not true … for most of us.

 

 

It is incredibly easy for hackers to obtain enough information to personalize blackmail phishing and the cost to send email is virtually nothing. So, while the threats don’t apply to most recipients, Cybersecurity expert Brian Krebs says there is a chance it will be received by someone who really does have a current or former affair to hide, or who may have visited a porn site (either on purpose or by mistake). The cybercriminals only need a few suckers with enough of a guilty conscience to pay to make their extortion scam worthwhile.

 

Jack Schofield from The Guardian published an article about this very subject, “I got a phishing email that tried to blackmail me – what should I do?” In it, Schofield made the point that, “Very few people ever make the requested payment. However, since the cost of sending millions of spam emails is basically zero, even a few payments are easy profits.”

 

Quiz: Can you spot the phishing email?

 

So, how do you spot phishing? Jigsaw, the team at Google’s parent company, Alphabet, that focuses on making the world safer through technology, created a “quiz based on the security trainings we’ve held with nearly 10,000 journalists, activists, and political leaders around the world.”

 

Jigsaw says, “the best protection against phishing is two-factor authentication.” For information about creating strong passwords and using two-factor authentication:

 

            SEE: 5 Steps to Create Strong, Unique and Readily Accessible Passwords

 

Jigsaw also says, “the second-best protection against phishing is knowing how to spot it in the first place.”

 

If you would like to take the phishing quiz:

 

GO TO: Can you spot when you’re being phished?

 

Stay on top of fraud trends and news

 

Nuvision is your credit union resource for alerts, news, and information about fraud, identity theft, financial and data protection, and cybersecurity. Learn about fraud protection and follow Nuvision on Facebook and Twitter to receive updates when new articles are published.