Until a few years ago, phishing attempts were easily recognisable, thanks to poor grammar and unbelievable stories – like a foreign prince wanting to give you money.
This is no longer the case, with scammers becoming increasingly convincing in their methods, warns Anna Collard, senior vice-president: content etrategy and evangelist at KnowBe4 Africa.
“It is becoming harder to tell fact from fiction as scammers improve their phishing tactics,” she says. “They set up web pages, social media profiles and emails that look convincingly like legitimate brand collateral, and run believable promotions to trick victims into sharing sensitive data.”
Collard says recent examples of convincing phishing campaigns include social media warnings and fake beer promotions.
A recent scam offering believable Heineken beer giveaways for Father’s Day was collecting personal details such as birthdates, emails, addresses, names, and more. This kind of information could be used to attempt takeovers of legitimate email addresses, says Collard. “What makes this kind of scam successful is that the prizes seemed legitimate – branded coolers and merchandise – and the sense of urgency it created by setting a competition deadline.”
Fraudsters are getting better at impersonating known brands, making it all the more important for people to be on their guard, Collard says.
“In another example, researchers at Akamai discovered a PayPal phishing kit that attempts to steal victims’ identities and financial information. The phishing page looks identical to Paypal’s login page and asks users to solve a captcha before entering their username and password.
“After the victim has logged in, the site tells them that suspicious activity has been detected on their account and asks them to verify their payment card information, social security number, mother’s maiden name, and their card’s PIN. It also asks the user to take a picture of themselves holding their passport, driver’s license, or national ID.
“Akamai believes this data could be used to create cryptocurrency accounts using the victim’s identity.”
Social media such as Twitter, Discord and Facebook are also being used to target victims through scare tactics, says Collard. “Twitter users have been targeted with messages saying their accounts were flagged for using hate speech. They would then be redirected to a fake Twitter Help Centre, where they would be asked to input their credentials. Discord users were accused of sending explicit photos and directed to a QR code which, when scanned, would result in the account being taken over by cybercriminals.”
A Facebook-themed phishing tactic uses a combination of phishing messages, social engineering and Facebook Messenger to trick users into believing they risk having their accounts deleted. “Trustwave reported recently that victims receive a message appearing to come from Facebook, warning that their account would be deleted for violating community standards. To appeal, users are directed to a Messenger conversation with a chatbot named ‘Page Support’, which directs them to a form where they must give their login, name, phone number and password.
“Attacks such as these could just as easily be designed to look like they came from legitimate business tools and critical SaaS applications and could open the floodgates to the company networks too,” says Collard.
Most company employees are active on Facebook, LinkedIn, and Twitter. Cybercriminals use these platforms to scrape profile information of your users and organisation to create targeted spear phishing campaigns in an attempt to hijack accounts, damage your organisation’s reputation, or gain access to your network, warns KnowBe4.