Phishing is one of the oldest cybersecurity scams. The first phishing attacks occurred during the mid-1990s when unsuspecting users of America Online (AOL) answered fraudulent emails and gave up passwords and credit card information. Fast forward twenty years, the scam has evolved, but the goal is still the same: get people to give up vital data.
And scammers have been very busy.
According to the FBI, phishing was the most common type of cybercrime in 2020. In addition, they found that phishing incidents nearly doubled in frequency, from 114,702 in 2019 to 241,324 incidents in 2020.
When you dig a bit and learn how people fall for phishing scams, you discover the patterns and the twists. We’ve narrowed the patterns down to three:
1. The Approach
Phishing attacks often begin with email, text messages, even phone calls. The message will be simple, often in the form of an announcement, like a problem with a payment, a security breach, or suspension of benefits or services. If the target is a company or organization, the scammer may seem unassuming, even respectable. For example, some scammers will claim to be a new employee, IT technician, or researcher. They may even produce some credentials or other information to support their claim.
If the attack is broader, the message may appear to originate from a well-known brand, a trusted company or a nonprofit organization. For example, common phishing scams have themes like a credit card company or other financial institution, a charity or a political organization.
Scammers also take advantage of current events and certain times of the year, such as:
- Natural disasters (e.g., North American Fires, Haiti Earthquake, etc.)
- Epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., IRS scams)
- Major political elections
2. The Build-up
Simple phishing scams take a spray and pray approach, hitting thousands of potential victims all at the same time with identical spoof messages. Some of these campaigns also spoof websites where the primary trap is laid. These campaigns have gotten upgrades in appearance. Although they are easiest to detect among phishing campaigns, we fall to them when we’re rushing around and don’t pay close enough attention.
Some scammers go a step further by picking a target then attacking with a sophisticated social engineering script. The goal is to gain trust and approval from a chain of victims. For instance, the scammer may start with a spoofed email address of known colleagues or executives. If the scammer can’t get enough information from one source, they’ll move on to another within the same organization. Finally, they increase credibility by adding information gleaned from the previous victim as they probe for more data. Within 20-30 minutes, the scammer may have enough information to piece together what they need to infiltrate highly sensitive networks and computers.
3. The Payoff
While the basic pattern is much the same as the first phishing campaigns, the scammers have added new twists with both the script and the payoff. At one point, rather than steal just passwords and credit card information, some scammers led their victims to all sorts of malware: Trojans, spyware, adware, rootkits, worms, keyloggers — all of them costly and destructive for the victim. Lately, ransomware has become vogue with scammers encrypting computers and whole networks — for a much bigger payoff at the end. In addition, with rising cryptocurrency values, scammers also want to enslave some of your computing power for cryptomining.
According to SonicWall’s Mid-year update to the 2021 Cyber Threat Report, this past summer witnessed a record high of 78.4 million global ransomware attacks. Here in the US, the attacks rose by 185%; in the UK, 144%. Our report also shows that scammers have learned to target specific types of organizations. For example, ransomware attacks on government agencies and organizations rose 917%, 615% on education, 594% on healthcare, and 264% on retail.
Avoid being a victim. Here’s how:
The first and probably the most important rule is for us to be constantly vigilant. Raise your awareness when you get an unsolicited phone call or receive unexpected messages. Watch for unusual requests about employees or other internal information. Withhold all information and rely on better judgment before divulging ANY info.
Remember that the phish is all about squeezing information from you: refuse to give it to them. Instead, make a personal commitment to your cybersecurity. For instance:
- Do not click links on email or text – even from trusted individuals.
- Do not download ANYTHING that comes from an email or text message you did not expect; and
- DO authenticate URLs, sender’s identity, and company identity. Often, a simple phone call from your own device will do the trick.
What do you do if you think you are a victim of the phish?
Everyone makes a mistake. The goal of this article (and the whole reason for Cybersecurity Awareness campaigns) is to help you avoid common traps. But even experts fall victim from time to time. If you think that you have tripped into a phishing scam, your response depends on your situation.
- Contain the damage by contacting financial institutions for any accounts you may have exposed. Change your password. If you reuse the same password for multiple resources, change them all.
- Isolate the damage by moving quickly. You should be well protected if you have a service like SonicWall’s Capture Advanced Threat Protection (ATP). If not, isolate the computer or device that you think is infected. Disconnect it from home or office network – wired and Wi-Fi). Treat any nearby devices as suspect and disconnect them as well
- Verify the infection. Understand the threat you face. Several online services can help you identify the type of malware and give you some options for removal and repair.
- Report the incident. If you believe you have revealed sensitive information about your organization, report it as soon as possible. Inform network administrators so that they can raise the alert for other suspicious activities. When you confirm a ransomware attack, report it to law enforcement so they can add to their investigations and search for the criminals.
SonicWall joined the Cybersecurity and Infrastructure Security Agency (CISA) this month to help raise awareness during Cybersecurity Awareness Month. Take on the challenge to do better to prevent cyberattacks like phishing.
Fight the Phish and #BeCyberSmart