Despite increased user awareness, phishing remains one of the biggest security threats to the enterprise. Of 1,450 data breach incidents in 2017, Verizon found that the majority — 1,192 — involved phishing, and email was the most common vector used (in 96 percent of incidents).
Consumers are not off the hook either, even if they seem like small fish compared to businesses. After all, the average loss per victim is only around $140, according to Norton. However, those numbers add up fast — to the tune of $172 billion that was stolen by scammers globally in 2017 from 978 million consumers.
As hackers are always retooling their methods, phishing emails are becoming harder and harder to detect. Gone are the days when bad grammar was a dead giveaway, and many of these emails now look flawless (at least until you start digging deeper).
So far this year, we’ve seen many new, sophisticated phishing campaigns, including various ones impersonating global brands, in what is known as “brandjacking.” Here’s a look at some of the latest phishing emails to avoid in 2018.
EOS initial coin offering: Cryptocurrency is all the rage right now, and it didn’t take scammers long to jump on the bandwagon. Hot platform EOS, developed by startup block.one, had an initial coin offering (ICO) in May. Scammers didn’t lose a beat — they sent out phishing emails with subject lines like “The most anticipated event has arrived.”
The sleek email, with spoofed EOS branding and several legitimate links to the startup’s website, described accurate details about the blockchain platform. It included a link to “claim” unsold tokens, and users who typed in their digital cryptocurrency wallet key on the malicious site essentially gave the scammers full access to their accounts.
It wasn’t the first phishing email targeting EOS users — and in a previous scam, one person reported losing $62,000. If you’re into cryptocurrency, you need to be very savvy to guard your crypto wallet, regardless of what platform you use.
Netflix billing: A massive email phishing campaign targeting U.K. subscribers of the popular streaming service stood out with its authentic-looking emails telling recipients their payment was declined. The email included a link for updating the user’s Netflix billing information, and those who did were none the wiser — after completing the form, they were redirected to a legitimate Netflix page.
A similar campaign has been targeting U.S. subscribers, with the email saying their payment could not be validated and their subscription would be canceled in 48 hours if they didn’t respond by clicking a link to update their information.
Apple store receipt: The email shows firstname.lastname@example.org as the sender and has a subject of “Your invoice receipt from store.” The “receipt” is for a subscription to a service like Netflix, YouTube Red or Sleep Cycle Premium, and the email contains a link to cancel the subscription. The link leads to a site that asks for the Apple ID and other personal information.
One quick way to tell whether this email — or any other phishing email — is bogus is by checking the sender’s actual email address. Apple also says its receipts always have the customer’s billing address, which is not something a phishing email is likely to include.
HSBC loan application: Major banks are always in the cybercriminals’ crosshairs, and one of the latest phishing campaigns brandjacked HSBC to deliver the banking Trojan TrickBot via an attached Word document. The Trojan itself, which has been circulating since 2016, was originally used for harvesting customer credentials but has evolved and is now also capable of behaving similarly to ransomware.
The recent phishing email, with the subject header of “HSBC application documents,” doesn’t raise any red flags with its authentic-looking message. The email uses some of the same techniques — like a lookalike domain for the sender’s address — as other campaigns that targeted HSBC customers last year with the same Trojan.
Companies House complaint: This phishing email can be unnerving because it alleges there is a complaint lodged against the recipient’s company and appears to come from Companies House, U.K.’s registrar of businesses. A Word document is attached to the email to “view” the details of the complaint. Security researchers at MailGuard reported that this attachment contains a malware payload.
The scammers get double points for cleverness. Not only are they using an email address with the uk.gov domain, in at least one variation of this email, they are actually educating the recipients about basic cyber hygiene — the bottom of the message says that if you’re unsure an email is coming from Companies House, you should not reply or click on any links, and report the suspicious email to the government agency.
“Rules of Conduct” HR email: Office 365 users, especially employees, are a constant lure for scammers. The latest Office 365 phishing email, with the subject line of “Rules of Conduct,” masquerades as a message from the company’s human resources department. It asks recipients to review a PDF with the company’s rules of conduct, and strangely opens a fake Microsoft Word prompt. Stranger yet, this Word prompt says to click on a link and open it with Excel.
Users who ignore all those red flags along the way are sent to a website with an authentic-looking Office 365 login screen. Those who miss one last clue — the strange-looking website address — and enter their login end up with a real PDF from doingbusiness.org in their hands (and with their credentials in the scammers’ hands).
Although all these latest phishing schemes do a great job of tricking their users, you can beat the scammers every time if you do a few basic things:
- Verify the sender’s address, but don’t let your guard down if it looks legit because email addresses can be spoofed.
- Hover over the link the sender wants you to click on, and make sure the URL makes sense. Beware of lookalike URLs and never click on a shortened URL unless you’re absolutely certain of its origin (and even then, best to check). Use a website like virustotal.com to check the URL against known malicious sites, and a shortlink “decoder” site for short URLs.
- If the email is from a company you don’t do business with, you’re not expecting correspondence from or is asking you to verify anything (anything!) by clicking a link; it’s an immediate red flag. Some exceptions may be emails you receive when you’re resetting a password or are verifying a new online account/subscription, and those kinds of emails arrive immediately after you make the request.
- Just like Companies House scammers advised, don’t click on any links if you’re not sure the sender is authentic. However, these scammers “forgot” to include one more caution, so let’s fix their “omission” — the same rules that apply to links also apply to attachments.
“2018 Data Breach Investigations Report,” Verizon
“Identify legitimate emails from the App Store or iTunes Store,” Apple
“Norton 2017 Cyber Security Insights Report”
“Cryptocurrency Hackers Are Stealing from EOS’s $4 Billion ICO Using This Sneaky Scam,” Fortune
“Thousands of Netflix customers targeted by phishing fraudsters as streaming service warns users to check for VERY convincing scam email,” DailyMail
“Netflix Phishing Scam Provokes Police Warning,” Fortune
“Old banking Trojan TrickBot has been taught new tricks,” ZDNet
“Fake HSBC Your HSBC application documents delivers Trickbot via Microsoft Equation Editor Exploits,” My Online Security blog
“How an Office 365 Email Hack Cost Millions (and How You Can Avoid the Same Fate)” IMP Solutions blog
“Beware of “Rules of Conduct” Office 365 Phishing Emails,” BleepingComputer