New phishing schemes to watch out for

When it comes to cybercrime, phishing is one of the biggest threats – and for good reason. It is a gateway for various types of malware (including ransomware) and plays a key role in data theft and identity fraud.

For cybercriminals, the appeal of phishing attacks lies in their profitability and simplicity. They are relatively easy to implement, especially if the fake email is designed to elicit the right emotional response from the recipient.

Here are some of the most common phishing methods cybercriminals use to trick unsuspecting victims:

• Exploiting fears related to elections, the pandemic, or other important events.
• Sending fraudulent emails about salary changes or banking agreement updates.
• Tap into the excitement of popular TV shows and blockbuster films.
• Take advantage of the excitement surrounding major sporting events.
• Lure victims with discounts, fake freebies, and easy loan offers.
• Using shipping services by sending messages requesting the audience to check delivery status or pay taxes.
• Scam people with fake travel booking services that promise deals but don’t deliver.
• The popularity of dating apps is being exploited to trick users into revealing personal information.
• Promoting fake investment opportunities in cryptocurrencies and the gas or oil sector.
• Sending fraudulent emails asking users to sign up or renew subscriptions to popular cloud storage or streaming services.

The list shows how closely scammers track trends and adapt their tactics based on popularity. While this flexibility is crucial for an effective scam, the right tactics are just as important for a successful phishing campaign.

Hackers cross the borders

Automated defenses against phishing attacks are constantly improving to address new threats. Secure email gateways (SEGs) successfully filter out most suspicious messages, and many antivirus tools can block content that matches known phishing patterns. However, fraudsters always find ways to circumvent these protective measures. Here are some tactics to stay one step ahead of cybersecurity experts.

· Using Google Docs comments as a vehicle for phishing links

In 2022, criminals introduced a phishing technique that exploits the Google Docs comments feature. They create a document, add a comment with a malicious URL, and tag the victim with an “@” mention. This triggers an email notification prompting the victim to respond.

Because the message appears to come from Google, security tools often miss it. Additionally, the notification only displays the sender’s name, making it easy for attackers to impersonate trusted contacts. Clicking on the link leads to a website that aims to steal confidential information.

· Google Forms is exploited to hide malicious links

Similar to the previous tactic, this phishing attack exploits a trusted Google service. The attacker creates a Google Form survey with a phishing link embedded in an answer option, using bait such as “Pending Refund”.

The attacker adds the target’s email address and sends an invitation to complete the survey. Because it is sent by Google, it will be missed by security filters and the victim is likely to intervene, risking malware or personal information exposure.

· Cloud platforms are used as hubs for credential phishing

Scammers are increasingly using popular cloud services to host malicious files, creating a false sense of legitimacy that deceives even wary users. In a scam, phishers upload a fake PDF file to Google Drive and claim it contains important information. When the victim clicks “Access Document,” they are redirected to a fake login page for their Office 365 password. Next, a popup will ask you for your Outlook credentials.

After providing their email address and password, the victim can view the PDF, which is actually a legitimate marketing report. All sites are hosted on Google Cloud Storage, making it difficult to detect the scam.

Tips to protect against phishing

Stay vigilant and follow these simple rules of conduct to protect yourself from phishing:

– Avoid clicking on links in emails and IMs.

– Do not open attachments from unknown senders.

– Make sure the login pages use HTTPS and not HTTP before entering credentials.

– If you need to click on a link sent via email, check the URL for typos.

– Look for spelling or grammatical errors in messages that claim to be from trusted brands.

– Be wary of emails with urgent deadlines.

– Limit personal information on social media to avoid tipping phishers off to targeted attacks.