New Phishing Scams Are Snagging the Unwary
Phishing is the most likely way an employee will come into contact with a cyber threat. It is by far the most common form of cybercrime, with an estimated 3.4 billion spam emails sent out daily. Phishing scammers work tirelessly to identify and exploit even the smallest loopholes in an organization’s cyberdefenses, often using social engineering bait to prey on complacent and uninformed employees. They’re very good at it – and they never stop leveraging new technology and thinking up new ways to lure employees into interacting with their malicious messages. These new phishing scams are something everyone should be keeping an eye out for.
Phishing is the most expensive digital scam
Phishing doesn’t always work the same way. There are tremendous variations in attack tactics and the information that threat actors are phishing for. In a typical phishing attack, scammers use legitimate-looking communication, usually email, asking users to download a malicious file or prompting them to visit a phishing site that mimics sign-in pages, requiring users to input credentials and account information. If the users take the bait, their systems, and networks get compromised.
Phishing is the biggest security problem that businesses face today and is the gateway to devastating cyberattacks. In fact, 9 in 10 cyberattacks start with a phishing email. While the number of phishing victims that reported attacks to the U.S. Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) last year was significantly lower than the previous year, the amount of loss that businesses suffered from those phishing attacks rose substantially in 2022 — a trend that is expected to continue.
IC3’s 3 Top Digital Scams
| Victims 2022 | Victims 2021 | Change | Losses 2022 | Losses 2021 | Change | |
| Phishing | 300,947 | 323,972 | -31% | $52,089,159 | $44,213,707 | + 18% |
| Investment Scams | 30,529 | 20,561 | + 48% | $3,311,742,206 | $1,455,942,193 | +127% |
| Spoofing | 20,649 | 18,522 | +11% | $107,926,252 | $82,169,806 | +31% |
Source: FBI IC3
3 Dangerous Phishing Scams Making the Rounds Right Now
While most phishing attacks operate along the same line, threat actors keep evolving their techniques to trick users into falling for their traps. That’s why it is crucial for everyone to be aware of the latest phishing techniques to keep themselves and their organizations out of harm’s way.
Here are some of the latest techniques cyber criminals are using in phishing campaigns:
1. AI-assisted phishing attacks
ChatGPT has created quite a frenzy in the tech industry, and even cybercriminals want a piece of the pie. While cybercriminals have turned to ChatGPT and GPT3 to create hard-to-detect phishing messages, due to the massive interest in these technologies they have also been tempting people with malicious phishing websites, social media pages, and fake apps impersonating ChatGPT to spread various types of malware on a user’s system. Many cybercriminal gangs also use the ChatGPT name and icon to mislead users into downloading multiple families of malware, leading to the theft of sensitive information.
Research recently identified an unofficial ChatGPT social media page with a substantial following and likes, which features multiple posts about ChatGPT and other OpenAI tools. However, there were links on the social media page with malicious links to phishing websites. Besides, several fake ChatGPT-related payment pages that steal users’ money and credit card information have emerged recently.
2. Typosquatting
Typosquatting is another form of a phishing attack where perpetrators register a common misspelling of another organization’s domain as their own to deceive users. Also known as URL hijacking, typosquatting websites target people that accidentally mistype a website address. Once the user lands on the fraudulent website, they leverage this identity theft to sell competitive products, or worse, trick users into divulging their Personal Identifiable Information (PII). Recently, a typosquatting website was spotted with the Redline info-stealer malware under the guise of a download for a ChatGPT Windows desktop client.
3. Russia-Ukraine conflict phishing
A global event, especially a war, is always fodder for cybercriminals to unleash a barrage of nasty cyberattacks. The Russia-Ukraine conflict is another war where nation-state actors have leveraged the situation to launch new phishing attacks. These phishing attacks target people aiding Ukraine refugees and people giving donations to Ukraine’s NGOs and government. Scammers impersonate the Ukrainian government, the Act for Peace, UNICEF, and other NGOs to try to convince users that they are legitimate charities collecting donations to support Ukraine and ask for cryptocurrency donations.
Phishers also target Ukrainian manufacturers concerned about the war’s supply chain impact. Many instances of Ukrainian manufacturers receiving emails with malicious attachments and fake order holds have surfaced recently. The U.S. National Security Agency (NSA) recently warned the public that they’ve seen an uptick in Russian hackers attempting to inject ransomware into Ukraine’s logistics supply chain as well as the supply chains of nations that are supporting Ukraine in its fight against Moscow.
Other up-and-coming phishing attacks are just around the corner
A PayPal scam was discovered recently where hackers were found leveraging the online payments system to send malicious invoices to users that come directly from PayPal. Many users received emails warning them that fraudulent activity had taken place on their accounts, threatening a fine of $699.99 should the victims not take action. However, like other phishing emails, the grammar and spelling in those emails were all over the place, and the phone number listed was not related to PayPal.
Another phishing attack that has gained traction is the abuse of Google Ads and SEO to trick users under the guise of helping them buy electric vehicles (EVs), as the government of India has recently introduced lucrative policies to boost the growth of its EV sector. A Singaporean security firm CloudSEK unearthed this scam in which over 200 phishing sites tricked users into giving their personal data to fake investment schemes impersonating genuine brands.
Be sure to consult with one of our IT Solutions Specialists today to make sure you and your team are ready and protected from these attacks!
