What is Phishing? Common Attacks & How to Avoid Them
The goal of nearly every phishing attempt is to steal information but attacks can come in different forms. In today's blog, we break down common phishing types, tactics and 50 examples of phishing attacks.
When a scammer tries to gain access to your data using fake emails, texts, calls, or websites, it is called phishing. Phishing is commonly used to gain information from unsuspecting victims. Phishing attacks can steal personal information such as login credentials or financial information, or they can install malware on your device if you open an attachment or click on a link. When a phishing attempt is successful at stealing a user’s login credentials, attackers can then gain access to the company network, which poses further risks such as the exposure of sensitive data.
Common Tactics Used by Phishers
Cybercriminals continue to develop increasingly sophisticated phishing techniques, and today there are a variety of attack methods. Here’s a look at a few of the most common tactics used by phishers:
- Fake emails: Email is the most commonly employed phishing channel. A phishing email might ask you to open an attachment, call a fake customer care number, or click on a website link. These emails include a sense of urgency.
- Fake texts: Fake text attacks are also called smishing. They are pretty much like phishing emails. They will give you a link or a number to call and include a message that invokes a sense of urgency.
- Fake websites: Fake websites generally work with phishing emails. An email will give you the link to a fake website and when you click on it, it might ask for your password or bank information. In some cases, clicking on the link may even install malware on your device.
There’s another type of phishing, called vishing. In vishing attacks, the scammer uses voicemails. Another type of phishing attack that’s gaining popularity among hackers is by making scam phone calls.
While these are the most common types of phishing attacks, scammers keep coming up with new ways to fool their victims. While this might sound scary, the good thing is that most phishing attacks can be prevented just by being careful. Unfortunately, many users often make mistakes and land in trouble. Let’s take a look at some examples of phishing attacks that have been in the news lately.
Examples of Phishing Attacks
1. Phishers pose as contract partners.
The Retarus CERT has issued a warning regarding a phishing attack where the attackers ask the recipients to edit important contract documents. The email includes a link that sends the recipient to a fake Microsoft login page. When the recipient enters their login credentials, they are stolen by the attackers. With usernames and passwords, the attackers can easily access the emails of their victims. To avoid such attacks, it’s important not to click on links included in unsolicited emails. Twitter: @retaurus
2. Security training spoofed email.
A fake campaign designed to look like a security training program was used to urge recipients to click on a link to complete the required training. The email said that the link will expire in a day to create a sense of urgency. Also, the victims were discouraged from going to the genuine website by saying the link isn’t available directly on the company portal and they need to click on the email link. The attack collected the Outlook credentials of the victims. Twitter: @Cofense
3. Phishing links sent via compromised accounts.
Emails sent by strangers can raise suspicion, but what if the message came from a trusted source? In a 2017 phishing attack, some trustworthy LinkedIn accounts were hacked and used to send messages to others. The message included a link that stole the email credentials of the victims. When messages come from trusted sources, it’s easy to fall for them. However, unsolicited messages should always be a red flag. Twitter: @Malwarebytes
4. Chinese hackers target Europe and Tibet with a phishing email.
A particular Chinese threat actor has been operating for over a decade and has been targeting the Tibetan community with phishing emails. The same actor also attacked the diplomatic, legislative, and economic entities within Europe with Covid-19 themed attacks by impersonating the World Health Organization (WHO). The attacker left malware on the infected devices to gather sensitive information. Twitter: @SecurityWeek
5. Aerospace company loses €50 million in a phishing attack.
A phishing attack launched on FACC resulted in a loss of €50 million and caused their shares to plummet. There is a possibility of a whaling attack being involved in the scam. A whaling attack is a type of phishing attack when the attackers spoof the email address of the CEO and send an email to a senior member of the company asking them to make a wire transfer of a large amount. To avoid this attack, when it seems like a senior management professional or executive is asking for a large money transfer, it’s best to discuss it with them in person or on a call. Such protocols should be implemented in companies. Twitter: @InfosecurityMag
6. Fraudsters made over $17m with a whaling attack.
In another whaling attack, the corporate controller of Scouler received what seemed to be an email from the company CEO. The email also contained a phone number, and a person was trained to pick up the call when the corporate controller called to verify the email. With a carefully crafted attack, the hackers were able to scoot off with $17 million. Twitter: @InfosecurityMag
7. Man conned Google and Facebook out of $122 million.
In this interesting case, the fraudster targeted Google and Facebook by sending them fake invoices that seemingly came from Quanta Computer Inc., a Taiwanese company. The scammer spoofed the email address used to send the invoices. The accounting departments of both companies paid up. While both companies were embarrassed about the fraud, it tells us that scams can happen to any company, and even small actors can con big tech giants. Twitter: @NakedSecurity
8. Scammers stole Verizon Wireless private phone records.
In a unique case, online information brokers posed as speech-impaired customers to pry over cell phone records belonging to Verizon Wireless. The information brokers asked for customer account information and claimed they were making the call on behalf of a speech-impaired customer. The sale of private phone records has been a problem since at least 1998, but not much has been done about it. Twitter: @WIRED
9. Hackers gained access to corporate information just by asking for it.
In this rather simple hacking incident, the hackers called the support desk and asked for the ID and answers to the security questions for Antonio Marino, an employee of the firm. They then called back, posing as Marino, and asked for the password for the company’s Outlook account. They verified the identity by giving answers to the security questions. They stole important company data and blackmailed the company for 70 Bitcoins to keep the data private. The company didn’t pay, so all the data was dumped into the public domain. Twitter: @Softpedia
10. Scammers calling and scaring people about viruses in their computers.
This is a common phone call that many people have received. Someone will claim that your computer is laden with viruses and is going to crash. They will then tell you some steps to eradicate the said viruses from your computer. The scammers generally ask the victim to open a website and install fixes for these issues, and the “fixes” or “subscriptions” can cost as much as £185. Fortunately, the solution to this scam is simple – put the phone down. Twitter: @guardiannews
11. Windows 7 license expiry scam.
When Microsoft announced that they are withdrawing technical assistance and software updates for Windows 7, it created a new scam opportunity for fraudsters. They made calls to unsuspecting people and pretended to be from Microsoft, asking them to upgrade to Windows 10 to keep their computers working. The people who trusted them lost their money and/or sensitive information. Unsolicited calls, as always, should ring alarm bells.
12. Scam call costs the CFO his job.
In this vishing scam, Thomas Meston, CFO of Fortelus Capital Management lost his job. Meston got a call from a scammer who posed as an employee from Coutts, a hedge fund’s bank. The scammer warned that there have been 15 suspicious payments that need to be canceled. He used the bank’s security system and generated codes for the caller to “cancel the suspicious payments.” Later it was discovered that about $1.2 million went missing. He was terminated from Fortelus and was sued by the company. Twitter: @business
13. Scammers create Apple suspicious activity scare.
This scam targeted iPhone users in 2019 and created a pretty believable scenario. The only giveaway was that Apple never makes unsolicited phone calls to its customers. In this scam, the scammers posed as Apple support and called customers regarding suspicious activity on their iCloud account. The scary part about this scam is that the fake support call gets listed as a previous call from legitimate Apple support. The entire scam was carefully planned, but thankfully, many users knew that Apple never initiates calls with their customers. Twitter: @snopes
14. IRS warns of possible phishing attacks.
Phishing comes in various forms, and tax scams are quite popular among cybercriminals. The IRS warns taxpayers and tax professionals about these scams. They launched a list of tax scams and asked users to be careful regarding tax fraud emails and phone calls impersonating the IRS. Scammers often target taxpayers by getting their bank details and using them to make direct deposits. The IRS also provides some safety tips for users to stay protected. Twitter: @IRSnews
15. Spectrum Health vishing scam.
We’ve all received fake phone calls at one time or another. The problem is, although these calls are very common, some people still fall prey to these scams. In a 2020 incident, patients and priority health members of Spectrum Health received phone calls from scammers pretending to be from Spectrum. The fraudsters tried to gain information like member numbers and other health information. Fortunately, people are increasingly aware of such calls today, and not many people fell for this scam. Twitter: @SpectrumHealth
16. Social security number scam in Montgomery County.
When scammers tried to get social security numbers from residents in Montgomery County, the authorities decided to alert people of the scam going around. In September 2020, the county office got calls that alerted them about a scam with fraudsters asking for social security numbers from county residents. The scammers said that if social security numbers aren’t provided, their bank accounts will be seized. The authorities warned residents to not give their information to any such caller. Twitter: @WFXRnews
17. The USPS delivery scam through smishing.
Smishing is a type of phishing attack that’s done using SMS. Last year, scammers sent SMS to people, giving an “urgent notification” about their USPS package. The SMS contained a link that took the users to different websites. While one link took users to a casino website, another one tried to steal their Google credentials. A similar scam happened in February last year when fraudsters used smishing and pretended to be from FedEx. Twitter: @TripwireInc
18. Apple chatbot scam with text messages.
SMS messages are an easy way to scam people. With URL shortening programs, people don’t know where the link will redirect them. In one incident, an SMS message that appeared to come from Apple support told users that they’ve received an opportunity to test the new iPhone and asked them to click on a link. The URL showed the genuine Apple website that made people fall for the scam. But the displayed URL was not the same as the actual URL, which took them to fake websites. Twitter: @NakedSecurity
19. The infamous Nigerian scam.
We’ve all heard about the Nigerian prince scam. The recipient will get an email that seemingly comes from a Nigerian prince who needs money to go back to his country. He promises that he’ll pay you handsomely once he reaches home. Some people have fallen for this scam in the past, but now the main scam plot has been changed. Attackers sometimes claim to be from the embassy in Ghana. The names might change, but the mode of operation is pretty much the same. Make sure to decline all offers for free money. Twitter: @CSOonline
20. FBI warnings about illegal music downloads.
A lot of people use torrents or other illegal ways to download copyrighted movies, music, or software, which is what makes this particular phishing scam so successful. Phishers pretend to be from the FBI and send an email, warning you about a prison term because you pirated an online copy of copyrighted materials. The scam will lead you to a fake website where you’ll be asked to pay a penalty. However, a government website asking you to make urgent payments should always be a warning sign. Twitter: @CSOonline
21. Phishing by SEO poisoning.
While Google tries its best to remove malicious websites from its index, there are still a lot of them posing to be genuine websites. In SEO poisoning, instead of the phisher targeting you, attackers lure the victims to fraudulent websites. For example, if a person gets a driver error, they try to Google it to find a fix. At the top of Google search results, they might find some websites that appear to be genuine but will actually download malware on your device. This malware can then control the device or steal important information from it. It’s important to download software only from trusted sources. Twitter: @CSOonline
22. Craigslist phishing scams.
Craigslist scams usually target unsuspecting sellers. You post a product on Craigslist and get an interested buyer. They are okay with the cost and shipping prices. In fact, they are ready to overpay if you pay through their intermediary. They send you a big check and ask you to take your portion and give the rest to the intermediary, which you do. A couple of days later, the bank informs you that the check is bogus. Now the victim has lost their money and is on the wrong side of the law for depositing bogus checks. To avoid such scams, it’s important to stick to trusted payment gateways even if “the customer” says they want to overpay. If it’s too good to be true, it’s probably false. Twitter: @CSOonline
23. Hijacking social media accounts for financial scams.
In this type of attack, the phishers will either hijack a Facebook account or use some other details to make people believe it’s coming from their friends. It works best when there has been a natural disaster such as a hurricane. They will hijack an account and contact people on the list and ask for money. Since people are more likely to offer money to a friend who is affected by a disaster, this scam works easily. Twitter: @CSOonline
24. FBI announces Business Email Compromise (BEC) phishing technique.
In an announcement, the FBI provided information about BEC attacks that target businesses of all sizes. In this type of attack, a business usually receives an email from a long-term supplier, asking them to make payment to a different account. This email might be spoofed to look like the genuine supplier’s email address, or the genuine email account might be hacked for this purpose. This scam can also be carried out via a phone call. To stay safe, businesses need to confirm the account change before making the payment. Twitter: @FBI
25. Scammers employ money mules to make financial transactions.
Fraudsters often con people out of their money and get the amount deposited in the accounts of money mules. These money mules are often “hired” by fake companies. Scammers usually offer work-from-home jobs to people and ask them to make financial transactions. In a case in Canada, a woman was hired in customer service to help process payments. She was asked to handle financial transactions and was offered a 5% rate on each transaction she handled. She received payments into her account and she converted them to Bitcoin and sent them to the scammers. She continued doing that until she realized she was fooled into being a part of a scam. Twitter: @briankrebs
26. Money mule cases on the rise.
Money mules are an easy way for scammers to transfer money. And they usually hire young people who need money. Since these victims are young, they don’t realize that this can be damaging for them. In a study by Cifas, it was seen that money mule cases rose sharply from 2016 to 2017. This is a dangerous trend, and there is a need for financial awareness among younger people. Twitter: @Independent
27. Phone forwarding scam.
This scam usually targets businesses that accept customers’ credit card information. For example, pizza shops or restaurants can be targeted by this type of phishing attack. The scammers call the business and make up a scenario to make the call handling employee dial a set of numbers. Once these numbers are dialed, the business calls are forwarded to the scammers’ phones. From there, they can steal credit cards and other customer information. To avoid such a scam, all employees should be trained for phishing prevention. Twitter: @CSOonline
28. Call forwarding scam using AT&T.
In this phone forwarding scam case, AT&T gets a call from a pizza parlor, reporting a problem with their number and requesting their calls to be forwarded to another number instead. When this is done, they start receiving calls from pizza lovers. The scammer asks the customer to pay in advance via their credit card. When the customer gives their credit card details, the scammer uses it to make unauthorized purchases. To avoid such credit card scams, it’s important not to give credit card numbers to anyone – even the trusted local pizza shop. Twitter: @schneierblog
29. Xbox hackers spoof messages to call SWAT teams.
In an ugly turn of events, some hoax texts were sent to the AT&T emergency service informing them about two Russian males that broke into a house. The house belonged to a Microsoft employee who was unpopular among hackers because his responsibilities included shutting down Xbox users who exploited system vulnerabilities. Similar incidents had happened in the past to other Microsoft employees as well, and they ended up facing SWAT teams because of disgruntled Xbox hackers. Twitter: @TheRegister
30. SIM swapping and voice phishing to steal Bitcoin.
In this case of identity theft, two hackers stole Bitcoin and social media accounts by phishing phone company employees and getting customer account information from them. The hackers set up websites that looked like genuine employee portals of wireless companies. From there, they gathered employee credentials and swapped the SIM identity of customers. This helped them take control of customers’ phones, and they were able to reset passwords for social media, emails, and cryptocurrency accounts. Twitter: @briankrebs
31. Phishing using a fake crisis scare.
Scammers always try to invoke a sense of urgency, and a crisis scare can be a good way to do that. With the pandemic raising the stress levels of people around the world, fake crisis scenarios can be created easily. People often want to get updates about the pandemic, and they listen to the government, WHO, or other authorities. An email that seemingly arrives from these authorities is more likely to be opened by the recipient. Anyone who receives such an email should verify the sender before clicking on any link or performing any other action given in the email. Twitter: @CSOonline
32. Installing malware using spear phishing attachments.
Spearphishing is a type of phishing attack in which the email appears to come from a trusted source. When scammers send a phishing email with an attachment, it’s not likely that the recipient will open it. However, when the email appears to come from someone they trust, recipients are more likely to open attachments. This type of phishing attack is more targeted in nature. To avoid such a scam, ensure that employees check the email addresses of senders carefully. Twitter: @MITREattack
33. CEO fraud scam to make wire transfers.
CEO fraud is when the scammer spoofs the email address of the company CEO and asks a top-level executive to make a money transfer to a particular account. According to FBI data, CEO fraud has been used to gain $26 billion. It’s widespread fraud and has been reported in all 50 states in the U.S. In a recent case, Crelan Bank of Belgium got conned out of €70 million because of CEO fraud. Twitter: @KnowBe4
34. CEO, CFO sued over cyber fraud.
The former CEO and CFO of FACC are being sued by the company over an online fraud that cost the company tens of millions of Euros. The fraud became open in the public domain in 2016, and it was declared that about 54 million Euros have been deposited in foreign accounts. Both the company employees denied allegations. Since a lot of scammers want to target top-level executives, it’s very important to be aware of the common attack methods. Twitter: @Reuters
35. Drug Company loses $50 million due to CEO fraud.
While it’s an ongoing scam, many people still fall for CEO fraud. In 2016, scammers emailed Upsher-Smith Laboratories, a drug making company. The email seemingly came from the CEO of the company and instructed the employees to make nine wire transfers amounting to a total of $50 million. To avoid such a scam, it’s important to train employees and have a financial transfer protocol in place. Twitter: @FOX9
36. Nearly $47 million robbed from Ubiquiti Networks.
Scammers used employee impersonation to swipe money from Ubiquiti Networks. With the phishing attacks, the scammers made the company pay huge amounts to overseas accounts that belonged to third parties. Not many details about the scam were disclosed, but it was clear that the fraudsters used phishing to gain money. Twitter: @NBCNews
37. Leoni AG falls for an email scam and loses €40 million.
In this interesting case, Leoni AG, a European cable company lost €40 million because they trusted an email. The scam is interesting because the fraudsters had the inside knowledge that this particular factory was the only one out of the four factories in Romania that had the authority to make money transfers. The scam worked as a whaling attack when a seemingly important figure at the company asked an employee in the finance department to make wire transfers. Twitter: @bankvaultonline
38. Xoom lost $30.8 million, thanks to a phishing attack.
In another online scam, about $30.8 million were fraudulently transferred from Xoom to overseas accounts. The CFO of the company immediately resigned after this scam. Xoom said that the scammers used employee impersonation to carry out this whaling attack. While no customer data or money from personal accounts have been stolen, the company lost money as well as its reputation in the share market. Twitter: @Reuters
39. French cinema company falls for CEO fraud.
After looking at all these cases of CEO fraud and whaling attacks, it becomes clear that the staff of a company (and especially the top-level staff) must be trained about online security. In a similar case, Pathé, a French cinema chain fired two senior management employees after being robbed of €19 million. This was roughly 10 percent of the company’s annual revenue. Twitter: @BnkInfoSecurity
40. Chinese hackers stole $18.6 million from an Italian engineering company.
With an elaborate fraud scheme, Chinese phishing scammers were able to steal $18.6 million from Tecnimont SpA, an engineering company. The scammers sent emails to the head of the Indian branch of Tecnimont SpA. The emails appeared to be coming from the CEO of the company. There were also conference calls to discuss a confidential acquisition. With such a detailed attack, the fraudsters were able to easily rob the company. Twitter: @BnkInfoSecurity
41. Spearphishing attack to send wire transfers to an account in China.
In this well-planned attack, scammers posed as the CEO and emailed Scoular to make wire transfers to China. The scammers said they were buying a company in China. The emails weren’t even from the CEO’s official address and warned the controller at Scoular not to communicate via any other medium to avoid infringing SEC regulations. Since Scoular had been planning to expand in China, the controller fell for the scam and made wire transfers amounting to a total of $17 million. Twitter: @CSOonline
42. Hackers create fake websites with SSL certificates.
For years, people have been trusting websites with SSL certificates. However, scammers now add free DV SSL certificates to their fake websites that make them look like secure websites. In a rather intriguing case, hackers built fake websites mimicking those of several construction companies in Edmonton and sent phishing emails to their business partners. They earned handsomely by duping people. Since free SSL certificates cannot be trusted, there is a need for extended validation for websites. Twitter: @hashed_out
43. PayPal phishing certificates using SSL encryption.
Let’s Encrypt is a certificate authority that issues free SSL certificates to websites. Using this service, several hackers have gained SSL certificates for their fake websites. Since PayPal is a highly targeted website, many hackers want to set up fake PayPal websites to dupe unsuspecting victims. Over 14,000 SSL certificates have been issued by Let’s Encrypt that contain the term “PayPal.” It’s widespread abuse, and people who blindly trust HTTPS can fall for this scam. Twitter: @hashed_out
44. Criminals send phishing emails to Amazon customers.
In this scam, scammers pretended to be from Amazon and emailed people, thanking them for purchasing on Prime Day that was back in July. The email asks the user to write a review for the product and earn a $50 bonus. It then gives a link to the user. This link will either install malware on their device or take them to a fake Amazon page and prompt the user to enter their credentials. Since many users have Amazon linked to their bank accounts, they can lose money by clicking on the link. Twitter: @Inc
45. Chinese hackers strike Mattel at the right time.
Mattel, a toy company, was hit by a CEO fraud attack when the finance executive of the company received an email from the “CEO of the company” to make a wire transfer of $3 million to China. The protocol to make a wire transfer was to get it double-checked by two high-ranking officers in the company. Since the CEO and the finance executive were both high ranking, the transfer was made. The fraud was discovered hours later but by then, the money was already in China. Twitter: @CBSNews
46. Hackers breach Sony network with phishing emails.
Here’s how hackers entered the Sony network back in 2015 with a rather simple phishing attack. Scammers sent fake Apple verification emails to Sony employees that contained a link that took them to a fake page and asked them to enter their Apple credentials. These credentials were then matched with their LinkedIn profiles to find their Sony login details, assuming that the employees would use the same passwords for both accounts. When the passwords matched, they were able to enter the Sony servers and release malware on them, crippling the network. It started with just a phishing email and resulted in a loss for the company. Twitter: @TripwireInc
47. Phishing scam leads to massive power outage.
This phishing scam targeted an electricity distribution company in Ukraine. It began with a spearphishing campaign as the scammers sent emails with malicious links to power distribution companies. When the link was clicked, it asked for macro enable permission. When enabled, a malware infected the machines and let the hackers remotely control the computers. With remote access, they were able to cut off the power supply of 230,000 customers. Twitter: @globalsign
48. Phishing scam claiming direct deposit to lucky winners.
In October 2020, residents in Brazos County received text messages that claimed that the phone owner was a lucky winner and has received a direct deposit of $1,200 from the Covid-19 treasury fund. The message included a link that took them to a fake website. It is reported that the link also stole the users’ personal information when they clicked on it. The sheriff’s office issued a warning regarding these messages. It’s important to beware of messages that claim to offer rewards. Twitter: @KAGSnews
49. IRS warns people of the tax transcript fraud going around.
With every tax season, scammers come up with new IRS-related tax fraud, and this one is quite convincing. People get emails from “IRS” with the subject line mentioning their tax transcript. The email contains an attachment that is often named Tax Account Transcript. However, if the file is opened, it can steal the user’s personal information or spread malware on their device. Twitter: @IRSnews
50. Students targeted by .edu websites.
Email addresses containing .edu generally belong to universities and colleges. In March 2021, many students were targeted by emails that seemingly came from universities but were actually phishing scams. These phishing websites required the recipients to provide their personal details such as their social security number, address, driver’s license number, etc. Anyone receiving an email like this should avoid clicking on any links or opening attachments the emails may contain. Twitter: @IRSnews