The 6 Latest Phishing Emails to Avoid in 2018
Despite increased user awareness, phishing remains one of the biggest security threats to the enterprise. Of 1,450 data breach incidents in 2017, Verizon found that the majority — 1,192 — involved phishing, and email was the most common vector used (in 96 percent of incidents).
Consumers are not off the hook either, even if they seem like small fish compared to businesses. After all, the average loss per victim is only around $140, according to Norton. However, those numbers add up fast — to the tune of $172 billion that was stolen by scammers globally in 2017 from 978 million consumers.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
As hackers are always retooling their methods, phishing emails are becoming harder and harder to detect. Gone are the days when bad grammar was a dead giveaway, and many of these emails now look flawless (at least until you start digging deeper).
So far this year, we've seen many new, sophisticated phishing campaigns, including various ones impersonating global brands, in what is known as "brandjacking." Here's a look at some of the latest phishing emails to avoid in 2018.
EOS initial coin offering: Cryptocurrency is all the rage right now, and it didn't take scammers long to jump on the bandwagon. Hot platform EOS, developed by startup block.one, had an initial coin offering (ICO) in May. Scammers didn't lose a beat — they sent out phishing emails with subject lines like "The most anticipated event has arrived."
The sleek email, with spoofed EOS branding and several legitimate links to the startup's website, described accurate details about the blockchain platform. It included a link to "claim" unsold tokens, and users who typed in their digital cryptocurrency wallet key on the malicious site essentially gave the scammers full access to their accounts.
It wasn't the first phishing email targeting EOS users — and in a previous scam, one person reported losing $62,000. If you're into cryptocurrency, you need to be very savvy to guard your crypto wallet, regardless of what platform you use.
Netflix billing: A massive email phishing campaign targeting U.K. subscribers of the popular streaming service stood out with its authentic-looking emails telling recipients their payment was declined. The email included a link for updating the user's Netflix billing information, and those who did were none the wiser — after completing the form, they were redirected to a legitimate Netflix page.
A similar campaign has been targeting U.S. subscribers, with the email saying their payment could not be validated and their subscription would be canceled in 48 hours if they didn't respond by clicking a link to update their information.
Apple store receipt: The email shows service@apple.com as the sender and has a subject of "Your invoice receipt from store." The "receipt" is for a subscription to a service like Netflix, YouTube Red or Sleep Cycle Premium, and the email contains a link to cancel the subscription. The link leads to a site that asks for the Apple ID and other personal information.
One quick way to tell whether this email — or any other phishing email — is bogus is by checking the sender's actual email address. Apple also says its receipts always have the customer's billing address, which is not something a phishing email is likely to include.
HSBC loan application: Major banks are always in the cybercriminals' crosshairs, and one of the latest phishing campaigns brandjacked HSBC to deliver the banking Trojan TrickBot via an attached Word document. The Trojan itself, which has been circulating since 2016, was originally used for harvesting customer credentials but has evolved and is now also capable of behaving similarly to ransomware.
The recent phishing email, with the subject header of "HSBC application documents," doesn't raise any red flags with its authentic-looking message. The email uses some of the same techniques — like a lookalike domain for the sender's address — as other campaigns that targeted HSBC customers last year with the same Trojan.
Companies House complaint: This phishing email can be unnerving because it alleges there is a complaint lodged against the recipient's company and appears to come from Companies House, U.K.'s registrar of businesses. A Word document is attached to the email to "view" the details of the complaint. Security researchers at MailGuard reported that this attachment contains a malware payload.
The scammers get double points for cleverness. Not only are they using an email address with the uk.gov domain, in at least one variation of this email, they are actually educating the recipients about basic cyber hygiene — the bottom of the message says that if you're unsure an email is coming from Companies House, you should not reply or click on any links, and report the suspicious email to the government agency.
"Rules of Conduct" HR email: Office 365 users, especially employees, are a constant lure for scammers. The latest Office 365 phishing email, with the subject line of "Rules of Conduct," masquerades as a message from the company's human resources department. It asks recipients to review a PDF with the company's rules of conduct, and strangely opens a fake Microsoft Word prompt. Stranger yet, this Word prompt says to click on a link and open it with Excel.
Users who ignore all those red flags along the way are sent to a website with an authentic-looking Office 365 login screen. Those who miss one last clue — the strange-looking website address — and enter their login end up with a real PDF from doingbusiness.org in their hands (and with their credentials in the scammers' hands).
Although all these latest phishing schemes do a great job of tricking their users, you can beat the scammers every time if you do a few basic things:
- Verify the sender's address, but don't let your guard down if it looks legit because email addresses can be spoofed.
- Hover over the link the sender wants you to click on, and make sure the URL makes sense. Beware of lookalike URLs and never click on a shortened URL unless you're absolutely certain of its origin (and even then, best to check). Use a website like virustotal.com to check the URL against known malicious sites, and a shortlink "decoder" site for short URLs.
- If the email is from a company you don't do business with, you're not expecting correspondence from or is asking you to verify anything (anything!) by clicking a link; it's an immediate red flag. Some exceptions may be emails you receive when you're resetting a password or are verifying a new online account/subscription, and those kinds of emails arrive immediately after you make the request.
- Just like Companies House scammers advised, don't click on any links if you're not sure the sender is authentic. However, these scammers "forgot" to include one more caution, so let's fix their "omission" — the same rules that apply to links also apply to attachments.
Resources
"2018 Data Breach Investigations Report," Verizon
https://www.verizonenterprise.com/verizon-insights-lab/dbir/
"Identify legitimate emails from the App Store or iTunes Store," Apple
https://support.apple.com/en-us/HT201679
"Norton 2017 Cyber Security Insights Report"
https://us.norton.com/cyber-security-insights-2017
"Cryptocurrency Hackers Are Stealing from EOS's $4 Billion ICO Using This Sneaky Scam," Fortune
http://fortune.com/2018/05/31/cryptocurrency-eos-ico-scam/
"Thousands of Netflix customers targeted by phishing fraudsters as streaming service warns users to check for VERY convincing scam email," DailyMail
http://www.dailymail.co.uk/news/article-5253123/Netflix-customers-hit-new-email-phishing-scam.html
"Netflix Phishing Scam Provokes Police Warning," Fortune
http://fortune.com/2018/02/02/netflix-email-police-phishing/
"Old banking Trojan TrickBot has been taught new tricks," ZDNet
https://www.zdnet.com/article/old-trickbot-trojan-taught-new-tricks/
"Fake HSBC Your HSBC application documents delivers Trickbot via Microsoft Equation Editor Exploits," My Online Security blog
"How an Office 365 Email Hack Cost Millions (and How You Can Avoid the Same Fate)" IMP Solutions blog
"Beware of "Rules of Conduct" Office 365 Phishing Emails," BleepingComputer
See Infosec IQ in action
In this Series
- The 6 Latest Phishing Emails to Avoid in 2018
- Keeping your inbox safe: How to prevent business email compromise
- The best 9 phishing simulators for employee security awareness training (2023)
- How to set up a phishing attack with the Social-Engineer Toolkit
- Extortion: How attackers double down on threats
- How Zoom is being exploited for phishing attacks
- 11 phishing email subject lines your employees need to recognize [Updated 2022]
- Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
- The state of BEC in 2021 (and beyond)
- Why employees keep falling for phishing (and the science to help them)
- Phishing attacks doubled last year, according to Anti-Phishing Working Group
- The Phish Scale: How NIST is quantifying employee phishing risk
- 6 most sophisticated phishing attacks of 2020
- JavaScript obfuscator: Overview and technical overview
- Malicious Excel attachments bypass security controls using .NET library
- Phishing with Google Forms, Firebase and Docs: Detection and prevention
- Phishing domain lawsuits and the Computer Fraud and Abuse Act
- Phishing: Reputational damages
- Spearphishing meets vishing: New multi-step attack targets corporate VPNs
- Phishing attack timeline: 21 hours from target to detection
- Overview of phishing techniques: Brand impersonation
- BEC attacks: A business risk your insurance company is unlikely to cover
- Cybercrime at scale: Dissecting a dark web phishing kit
- Lockphish phishing attack: Capturing android PINs & iPhone passcodes over https
- 4 types of phishing domains you should blacklist right now
- Email attack trend predictions for 2020
- 4 tips for phishing field employees [Updated 2020]
- How to scan email headers for phishing and malicious content
- Should you phish-test your remote workforce?
- Overview of phishing techniques: Fake invoice/bills
- Phishing simulations in 5 easy steps — Free phishing training kit
- Overview of phishing techniques: Urgent/limited supplies
- Overview of phishing techniques: Compromised account
- Phishing techniques: Contest winner scam
- Phishing techniques: Expired password/account
- Overview of Phishing Techniques: Fake Websites
- Overview of phishing techniques: Order/delivery notifications
- Phishing technique: Message from a friend/relative
- [Updated] Top 9 coronavirus phishing scams making the rounds
- Phishing technique: Message from the boss
- Cyber Work podcast: Email attack trend predictions for 2020
- Phishing techniques: Clone phishing
- Phishing attachment hides malicious macros from security tools
- Phishing techniques: Asking for sensitive information via email
- PayPal credential phishing with an even bigger hook
- Your 2020 tax scam training guide
- Abusing email rules
- 8 phishing simulation tips to promote more secure behavior
- Top types of Business Email Compromise [BEC]
- Be aware of these 20 new phishing techniques
- Phishing in academic environments
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
