Feb 10 2023

Catches of the Month: Phishing Scams for February 2023

Category: Information Security,PhishingDISC @ 12:50 pm

Welcome to our February 2023 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over personal data.

This month, we look at a UK government warning about a resurgence in Russian cyber attacks and concerns that the much-discussed AI programme ChatGPT could be used for fraud.

UK government warns of Russian-sponsored phishing campaign

The UK government has issued a warning amid an increase in phishing attacks stemming from Russia and Iran.

In an advisory statement, the NCSC (National Cyber Security Centre) shared details about the campaign, which appears to have been sponsored by the fraudsters’ national governments.

The researchers are most concerned about spear phishing, which is a sophisticated form of fraud. Scammers target specific individuals by researching them online – often using Facebook, LinkedIn or the website of the target’s employer.

Although spear phishing emails often contain the same clues as regular phishing scams, they have a much higher success rate. This suggests that people are more likely to assume that a message is genuine if it contains a few specific details about them, such as their name or their place of work.

The NCSC’s advisory highlights ongoing scams that were conducted throughout last year by the Russia-based group SEABORGIUM and the Iran-based group TA453, also known at APT42.

Their attacks target specific sectors within the UK, including academia, defence, governmental organisations, NGOs and thinktanks, as well as politicians, journalists and activists.

Commenting on the findings, NCSC Director of Operations Paul Chichester said: “The UK is committed to exposing malicious cyber activity alongside our industry partners and this advisory raises awareness of the persistent threat posed by spear-phishing attacks.

“These campaigns by threat actors based in Russia and Iran continue to ruthlessly pursue their targets in an attempt to steal online credentials and compromise potentially sensitive systems.

“We strongly encourage organisations and individuals to remain vigilant to potential approaches and follow the mitigation advice in the advisory to protect themselves online.”

Experts concerned that ChatGPT could be used for scams

ChatGPT has taken the Internet by storm, with the AI-backed tool helping writers and hobbyists create content almost instantly.

The program’s advanced language model has been championed by people looking to quickly produce quotes, articles and think pieces. However, cyber security experts are warning that another group – scammers – could also embrace the technology.

As Chester Wisniewski, the principal research scientist as Sophos, explained, ChatGPT can instantly produce grammatically correct and natural-looking writing, which would resolve one the biggest challenges that scammers face when creating their baits.

“The first thing I do whenever you give me something is figuring out how to break it. As soon as I saw the latest ChatGPT release, I was like, ‘OK, how can I use this for bad things?’ I’m going to play to see what bad things I can do with it,” Wisnieski told TechTarget.

One of those ‘bad things’ that he considered was the ability for ChatGPT to create phishing scams.

“If you start looking at ChatGPT and start asking it to write these kinds of emails, it’s significantly better at writing phishing lures than real humans are, or at least the humans who are writing them,” he said.

“Most humans who are writing phishing attacks don’t have a high level of English skills, and so because of that, they’re not as successful at compromising people.

“My concerns are really how the social aspect of ChatGPT could be leveraged by people who are attacking us. The one way we’re detecting them right now is we can tell that they’re not a professional business.

“ChatGPT makes it very easy for them to impersonate a legitimate business without even having any of the language skills or other things necessary to write a well-crafted attack.”

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

https://www.itgovernance.co.uk/blog/catches-of-the-month-phishing-scams-for-february-2023?

More resources on Phishing training

Previous posts on Phishing

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Phishing scams

Dec 11 2022

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Category: Email Security,PhishingDISC @ 11:55 am
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.

The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.

Most prevalent types of phishing scams

Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

1. Email scams

Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.

How to protect yourself:

  • Never click on links in emails. Instead, visit the official site.
  • Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
  • Disable automatic image loading, as this can let scammers know you’ve seen the message.

2. Voice phishing (vishing)

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.

How to protect yourself:

  • Never answer calls from numbers you don’t recognize, even if it has a local area code.
  • Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
  • Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

3. Phishing websites

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

How to protect yourself:

  • If you get a message with a link—even if it looks trustworthy—go to the official site instead.
  • Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
  • Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.

4. SMS text message scams (smishing)

Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

How to protect yourself:

  • Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
  • Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
  • Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

5. Social media phishing

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

How to protect yourself:

  • Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
  • Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
  • Don’t ever share your social media password with a third-party website.

6. Man-in-the-middle attack

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

How to protect yourself:

  • Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
  • If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

How to prevent phishing

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

  • Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
  • Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
  • Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
  • Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

What to do if you’re a victim of phishing

You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.

  • Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
  • Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
  • Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
  • Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
  • Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

Conclusion

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.

Tags: Phishing scams

Jul 20 2022

Catches of the Month: Phishing Scams for July 2022

Category: PhishingDISC @ 1:41 pm
Catches of the Month: Phishing Scams for July 2022

Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.

This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.

NFT marketplace warns users of phishing scams

Last month, the world’s largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which users’ email addresses were compromised.

The organisation’s head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.

OpenSea has since warned that the information could be used to launch phishing attacks.

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” Hardman said.

“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.”

OpenSea warned users via an email notification

Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.

Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).

Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.

It was that technique that caught out fans of the NFT artist Beeple last month. His Twitter account was hacked, with the attackers stealing $70,000 (about ÂŁ56,000) worth of cryptocurrency.

In addition to the theft, the cyber criminals shared a phishing link on Beeple’s Twitter account that, if clicked, took money directly from their wallets.

Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.

Whereas banks and other regulated trading platforms are required to take steps to protect people’s assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.

If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.

School district accidentally wires $200,000 to fraudulent bank

The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about ÂŁ164,000) to a bank account controlled by cyber criminals.

Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.

Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.

Speaking to a local news outlet, the school district said: “Floyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.”

It added: “We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.

“Because of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.”

Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.

Phishing attacks reach all-time high, report finds

The first three months of 2022 saw more than a million reported phishing attacks, according to the APWG’s Phishing Activity Trends Report

It’s the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291. 

According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services. 

The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).

The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents. 

According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).

Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams. 

Meanwhile, 18% of BEC messages used email domains owned by the attacker. 

The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about €98,000). This is a significant increase over the previous quarter, in which scammers requested €50,027 (about €58,000) on average. 

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

Get Started Now

Tags: Phishing scams, phishing training

May 08 2022

1000s of phishing emails sent from NHS inboxes

Category: PhishingDISC @ 10:44 am
1000s of phishing emails sent from NHS inboxes

New research from the email security firm Inky has revealed that more than 1000 emails were sent from NHS inboxes over a six month period.

The firm has claimed that the campaign, beginning October 2021, escalated “dramatically” in March of this year.

After the findings were reported to the NHS on April 13, Inky reported that the volume of attacks fell significantly to just a “few”.

“The majority were fake new document notifications with malicious links to credential harvesting sites that targeted Microsoft credentials. All emails also had the NHS email footer at the bottom,” Inky explained.

fishing pole

Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails 

Scams: Learn valuable skills to avoid being scammed by frauds. Real experiences of fraud detection, Fraud Examination, phishing emails, scam calls & more.

👇 Please Follow our LI page…


DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: NHS, Phishing Dark Waters, phishing emails, Phishing scams