Remember the days when a phishing scam was easy to spot? An email arrived with plenty of misspelled words, improper sentences and syntax, and it was probably from a name you didn’t recognize. Over time, phishers realized their lures weren’t providing the desired results.
So, what did the con artists do? They did their homework! They realized their phishing scams should be more realistic. Now, phishing communications appear as if they’ve come from a trusted source. Phishers are banking on the fact that if you are expecting a communication from a known “sender” to look a certain way, you are much more likely to click on attachments or links.
You may have noticed that I used the word “communication” in the previous paragraph instead of “email.” That’s because phishing attacks go far beyond email. They can include SMS/text attacks or phone calls too. Each communication type provides methods for a scam artist to obtain sensitive information. To keep from becoming a victim, everyone is responsible for scrutinizing all communication channels prior to clicking or responding.
Spearphishing focusing on schools
Anyone can be a target for phishing via personal, business, or school communications. Last year, the FBI published a Cyber Bulletin regarding Spearphishing Campaigns Against Students at Multiple Universities. This document is focused on higher education universities, but these same attacks could be utilized against any educational institution. In the bulletin, the FBI states they identified spearphising emails, which are highly targeted and tailored communications, that requested a student’s login credentials for the schools internal intranet. Then the cyber-criminal used the student’s login credentials to change the direct deposit destination to bank accounts within the cyber criminal’s control. These types of attacks have continued to grow throughout 2019, and are expected to continue in 2020.
Feeding on fear
Some phishing campaigns feed on fear, which is currently happening with the global concerns about coronavirus. One such campaign utilizes emails that appear to be coming from the U.S. Centers for Disease Control and Prevention and the World Health Organization. These emails encourage the potential victim to click on a link about cases of the coronavirus in their area. The link redirects to a fake website that appears to be a Microsoft Outlook login page, where targets are asked to enter their username and password. A slight variation of this email will ask the target to donate bitcoins to help the CDC find a cure for coronavirus.
Another variation of this scam asks the intended victim to download a document on “Safety Measures Regarding the Spreading of the Coronavirus.” When a person clicks the link, they are redirected to a fake CDC website requesting verification of the username and password associated with their email address. The best way to protect yourself from this scam is to carefully review any links. In this case, the correct link for CDC is “cdc.gov,” but the link used in this campaign is “cdc-gov.org” — which shows how tricky it is to really know whether the link is malicious.
An email from the PayPal Notifications Center is yet another phishing campaign that is seeing a lot of activity. In this campaign, the target is notified that her “account is on hold.” She needs to click a button to “secure and update” her account by verifying her identity. Once the target presses the button, she is provided a convincing looking PayPal login screen. After logging in, she is sent to a screen that states her account is locked and requests information regarding billing address and phone numbers. The next screen requests verification of credit card information. Each of these screens appear the same as if they were from PayPal, even though they are created for the phishing scam.
This is a very familiar phishing scam from PayPal, however, now the campaign goes even deeper. This shows again that phishers have done their homework and realize they can try to collect all the data possible while they have a target on the hook. If the target continues, the next information collected will be PII (Personally Identifiable Information) such as birth date, social security number, and credit card PIN. The next request will ask the target to upload a photo of a valid ID or credit card.
To protect yourself, be vigilant on validating the URL you are directed to for entering any information. In the PayPal example, the target should validate the PayPal login page URL. The correct PayPal login page uses the URL of paypal.com/us/signin (assuming you are logging in from the United States), as the malicious login URL does not include the words “paypal” or “signin.”
A good way not to fall victim to phishing scams is to NEVER click the links or attachments sent within emails until the source is verified. If you are unsure about a message from a company, contact them through their customer service or call the customer service number listed on your account statement to ask if the email was actually sent from the company. It’s better to ask questions and be the “one that got away” instead of being another victim in a cyber criminal’s story.