Phishing Scams and Trends 2024

With more and more people living their life digitally – and we’re not talking about influencers – your data needs to be protected. With constant innovations in technology, you could buy a new iPhone and use a VPN to stream TV shows on your commute. Or at the office. We’re not the productivity police. What we are is a group of tech junkies that want to help you avoid phishing scams.

What is Phishing?

Not to be confused with what you would do on a long weekend getaway to the lake, the official phishing definition is the fraudulent practice of contacting individuals via email, phone, or text while posing as an employee of a reputable company and asking for personal information. This information can range from passwords to credit card numbers.

In 2022 alone, we saw multiple TV shows and documentaries about the scammers of yore aka pre-pandemic. Apple TV+’s WeCrashed (the WeWork scandal), Netflix’s Inventing Anna (the fake heiress who stole a private jet) and The Tinder Swindler (the tale of a faux-diamond heir), and Hulu’s The Dropout (the saga of blood-thirsty Elizabeth Holmes), all present a picture of glitz and glam. In reality, if you are victim of a phishing scam, there’s no movie or TV show in your future, just loss of precious data and in severe cases, money.

Common Phishing Examples

Although most of us assume we’ll never fall victim to a scam, online scammers have been honing their craft for years. They want you to slip up and divulge the private details of your life. The Internet is their playground and unfortunately, they came to play.

There’s more than one type of phishing these unscrupulous people want you to fall prey to:

1. Email phishing – emails received that appear to be from a reputable organization/company/person
2. Whale phishing, Whaling or CEO phishing – malicious communications that appear to be from the CEO or high-level executives from the company you work at
3. Spear phishing – emails that appear to be pertinent to your interests (current events, shopping deals etc.)
4. Angler phishing – a social media attack where scammers pose as customer service reps from reputable companies
5. Smishing and vishing – Also known as SMS-phishing and Voice phishing, these are text or voice messages from scammers purporting to be from respectable companies
6. Peer to peer (P2P) payment app scam – asks for money from what appear to be from a reputable P2P app
7. Cryptocurrency investment scams – investment tips and emails that are from fake crypto agencies
8. Gaming threats – violent communications received when gaming online that pertain to your cybersecurity
9. Malicious links – URLs embedded in emails, texts, and fraudulent websites that download malware directly to your device the moment you click on them
10. Romance scams – when you’re talking to someone on a dating app who has assumed a fake identity and asks for money (like catfishing but with financial ramifications)
11. W2 phishing – communications directed at a company’s HR and accounting departments that demand financial information
12. Doxxing – when you input personal info via a phishing link and hackers publish (and weaponize) private data by publishing your full name, home address, and other personal information without your permission

Beware the Scammers

How to Prevent Phishing Attacks

In order to stop scammers from getting our passwords, money, and private data at work there are safeguards that companies can put in place for their employees.

• Secure Email Gateway: a device or software used to monitor sent and received emails.
• Cloud Email Security: security solutions designed to prevent phishing scams.
• Security Awareness Training: company initiatives that teach staff how to spot phishing emails and avoid links or attachments that look suspicious (including phishing drills and other real-time training that simulates an actual attack will keep users alert to fraud).
• Installing security technologies such as phishing filters on email applications and web browsers will reduce phishing attempts, and pop-up blockers can help stop another common tool used by fraudsters.
• Update all workstations and devices to the latest software and make sure all software patches and updates are installed as soon as they’re released. Ensure that the operating systems on all devices are current with the latest version.
• Consider automation. New tools powered by artificial intelligence and machine learning can screen emails by looking for tell-tale patterns that show fraud.

Future Phishing Predictions

A few alarming phishing statistics and trends show that this threat is not abating.

• A scant 16% of organizations made it through the past year without experiencing at least one phishing or ransomware incident, according to Osterman Research.
• Many organizations suffered multiple attacks in 2021-2022 and 70% expect their business will be disrupted this year by an email-borne cybersecurity threat from 2022.
• By one tally, January 2021 broke monthly records for phishing statistics worldwide, with 245,771 attacks reported to the Anti Phishing Working Group (APWG).
• Defenders are still playing catchup with the bad guys. In the Osterman report, only 45% of respondents felt confident that all employees in their organization could recognize phishing emails, but their confidence fell to 34% when asked about their ability to spot smishing, vishing, rogue apps, and malicious pop-up ads online.

Counterfeit Shopping Sites

The holidays are about spending time with loved ones and of course, gift buying. However, bogus shopping sites pop up like gray hairs. You can cover grays with dye but they’re still hiding underneath. And like a professional dye job, some of the counterfeit sites look so legit that it’s hard to tell which ones are scams and which ones are real. A counterfeit site can show up high in Google search engine results so we suggest checking the URL and reviews of any site you shop on before making a purchase. 

SIM Swapping

SIM swapping is a new sneaky way to get around your two-step authentication for mobile banking. Bad people call your mobile phone carrier, pretend they’re you to get your phone number shifted to their phone. This allows them to steal your password but have the phone number to defeat dual-factor authentication.

Which Industries are at Risk?

The Cost of Cybercrime

According to Cybercrime Magazine’s Editor-in-Chief, Steve Morgan, the cost of phishing and other dangerous online behaviors, will cost us globally. In 2021, these crimes’ damages totaled approximately $6 trillion USD. This is expected to climb to $10.5 trillion annually by 2025. That’s a major jump from the reported $3 trillion USD in damages from 2015.

Who’s getting phished?

Scammers don’t discriminate. They don’t see race, income or location. All they see are potential dollar signs. However, the American Journal of Public Health estimates that 5% of the elderly population (about 2-3 million people) fall victims to phishing scams each year.

Why is the 65+ set such an easy target? You don’t have to be in your golden years to understand isolation. If the pandemic taught us anything, besides the effectiveness of vaccines, being alone for long periods of time downright sucks. Loneliness, seclusion and the inability to do what you once loved can take a toll on our psyche and in turn, we become vulnerable to scams.

To your aging grandma, an email that appears to be from you, is going to be opened. She misses you! By the time granny realizes that you didn’t send the email asking for money to buy a new car, it’s too late: scammers have already stolen her personal data and can use it to fraud her identity. They’ll open credit cards in her name and max them out faster than you can say, “Gran, don’t open that email!”

Another factor used by baddies to get your grandparents’ money is the embarrassment angle. Scammers know that seniors are less likely to take action legal action after falling victim to phishing because they’re ashamed that they’ve been duped.

Phishing for your identity

Speaking of grandma’s identity, according to the Federal Trade Commission, the States with the highest identity theft during the first year of the pandemic are:

California and Illinois have democratic governors, whilst Texas, Florida and Georgia are run by republicans. Like we said, scammers don’t discriminate. They don’t care how you vote or who you vote for, they’ll find a way to get you.

Types of scams your grandparents may encounter

Besides identity theft, tell the older members of your family to watch out for:

• Winning sweepstakes/lotteries/free vacations:
  Grandpa gets an email, text, or sees a pop-up on his favorite hunting site for a lottery or a cruise. He can’t remember if he entered or not (he didn’t) so he clicks and is enticed to input his banking info or wire money. Sorry Grandpa, but the only ones cruising are the scammers who used your money to buy a Porsche.
• Counterfeit prescription drugs:
  We all want to pay less for medical services. But, for your 78-year-old Aunt May, who has diabetes, an offer to get cheaper (or even free) prescription drugs is right up her alley. She clicks on the link and bam, the scammer’s got her personal details. In severe cases, the scammers may actually send your aunt a bottle of pills that look like the real deal to keep up the charade.
• Fake anti-aging swag:
  Uncle Ronnie has wrinkles and isn’t as handsome as he used to be. He sees an email or ad for anti-wrinkle cream specifically for men. What happens when he clicks on it and downloads the order form? He gets even more wrinkles, this time from the stress of having malware unknowingly installed on his laptop.
• Sugar babies:
  We hold no judgement for those who use these services to maintain a consensual payment for pleasure relationship. But be wary, these sites are prime for phishers to pose as real people who are looking for cash in exchange for NSFW hangouts. To your unsuspecting, recently widowed Uncle Milton, getting a message from what he assumes is a nice lady looking for a connection is the pick-me-up he needed. That nice lady may not be a lady at all and by the time Milty’s sent her $500 to buy a new dress for their first date, he’s out not only money, but his private information.
• Employment scams:
  This one is for all the boomers out there who retired and realized they miss working. Employment scams promise jobs that don’t exist. The company looks reputable – they have a website after all! – but in fact, they’re not real. Some scammers will even go as far as holding “job interviews” with nouveau retirees to keep up appearances. After the interview, they hire you and have you fill out HR forms.

Developing a criminal profile for phishers

Understanding the victimology behind phishing is important. Still, it’s only half the work. To stop a phisher, you have to think like a phisher. Who are they? What is the motive for their phishing crimes?

Turns out that phishing is the evolution of phreaking. Phreaking was the name given to telecom hackers.  Phishers are just the cyber punk reprisals of classic identity thieves. If we focus on that, we can form a criminal profile that will help to better understand the motivation behind phishers.

The US Department of Justice has spent decades exploring and developing criminal profiles for identity thieves in general.

Likewise, the Center for Identity Management and Information Protection has profiled federal case data from 2008-2013 studying identity theft, published in 2015.

Phishers by the numbers (what the study tells us) : 

• 7% of identity theft offenders for 2007 were between the ages of 25-34
• 7% of the offenders observed in this study were native-born legal residents of the United States
• Only 6.1% of the identity theft criminals at that time were illegal aliens
• One-third of the identity thieves were female, meaning that males predominated identity thief statistics in 2007
• More identity thieves operated as part of a network of scammers than as a single person
• Phishing scams have a higher rate of individual targets due to improved internet access over the years, allowing scammers to look for one person inside a business whose compromise would sweep the whole entity into the scam
• Often, the identity frauds were a husband/wife team
• Groups that engaged in phishing-styled identity attacks in this study ran shopper fraud rings
• Often the identity theft victims were strangers to the thief but the 2015-era update to this study showed that often the relationship between perpetrator and victim was customer and client

We know from this report that these people are often acting as some insider cell group. They benefit from side-stepping the government and from exploiting easy targets.

Lessons in phishing from the hackers themselves

So, now we have a pretty sound victimology attack. We know the exact people we need to heavy-weight train for these incidents. We also know which focus groups needs to be watched and screened the most against insider threat.

Now, it might help to create a criminal methodology for the attacks themselves. What is the exact breakdown of a phishing scam? We studied the methods taught by Pentest Geek, an ethical hacking group that use scenarios and mock hacking to act like a fire drill for business teams. They have a complete guide to the phishing attack process that was published it on September 18, 2019.

The step-by-step process for a common phishing attack looks like this: 

1. Enumerate the email addresses 
   Hackers determine who they want their sketchy emails to go to by using a service like Jigsaw.com. This service unwittingly gives phishers access to data automatically that they can then export to CSV files.
2. Evade antivirus systems
   The phisher is going to study your antivirus system like a would-be lawyer preparing for the LSATs. They’ll learn what system they’re dealing with and find a weak spot.
3. Use of egress filtering
   Time for the phisher to choose a payload! Some of the favorites are reverse_https or reverse_tcp_all_ports, and reverse_tcp_all_port. These act as wiretaps by  listening on a single TCP port. Then, the operating system redirects all of the incoming connections on all the ports to the “listening” port. Intrusion prevention systems have a difficult time detecting the malicious presence because it looks like regular HTTPS traffic.
4. Pick an email phishing scenario
   The hacker will find a template and a scenario that will work as the perfect email lure by targeting credential managing roles like HR or finance. They will post emails that look like they came from the businesses bank network. These emails will be labeled as “urgent” reports that need the victim’s immediate attention.
5. Sidestep web proxy servers
   Hackers will then identify what web proxy servers their target victim is using. The web proxy server is going to block the business network from visiting certain sites. Some of these systems are even equipped with antivirus protection. This means that the web proxy server can block the victim from downloading the executable the phisher has sent. The phisher will have to find a way to sidestep this to get what they want by purchasing a valid SSL certificate for the malicious site.
6. Send out the phishing messages
   Spoofs on you! Hackers can spoof an email or they can purchase a real domain to make the ruse even more convincing. The hacker will then go into the code of their newly created email account and change all of the “Who is” identifying information. They will use this code to run a web convincing imposter routine for their phishing scam. They will have to run a match check against the website they want to imposter to make sure everything reflects legitimately. This has to look as real as possible.

The Future of Phishing

Digital ad fraud is rising like the morning sun. The ad industry currently loses approximately $51 million daily to ad fraud. That number is predicted to rise by $100 billion annually according to Bloomberg.

Besides the above stats, phishing forecasts look bleak:

• By 2031, ransomware will cost victims about $265 billion USD annually.
• In 2021, it’s estimated that an organization suffers ransomware every 11 seconds. By 2031, these attacks are expected to occur every two seconds.

Final Thoughts: Phish isn’t What’s for Dinner

Phishing is not going anywhere anytime soon because information fraud is here to stay. It’s a bit unfortunate but nevertheless a well-trained team has little to fear.

You can protect your personal data with a virtual private network (VPN) when browsing online. Although, you may not able to do this in workplace, you can use a VPN on your personal devices to ensure your data is safeguarded. In addition, two-factor authentication (2FA) is key. You should turn on 2FA on any device or service that requires a log in.

We also suggest contacting your IT department if you are concerned with work-related data breaches. As for your personal data, DO NOT CLICK ON ANY SUPSICIOUS LINKS. If something looks too good to be true, it is. 

Sources:

https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/

https://cybersecurityventures.com/annual-cybercrime-report-2020/

https://www.cloudwards.net/cyber-security-statistics/

https://Experian.com

https://www.comparitech.com/antivirus/ransomware-statistics/

Read Full Bio

Rachel Brooks

Latest from Author

Net Nanny Review Phishing Scams and Trends 2024