Only two months ago, impersonators were heavily into delivery companies like DHL and FedEx and “You’ve just won!” come-ons. Now, according to the latest impersonation study by Cloudflare, AT&T has taken over the #1 spot, followed by PayPal, Microsoft, DHL, Meta (Facebook, Instagram, WhatsApp), the IRS, Verizon, Adobe, Amazon, and Apple.
Impersonators are getting better at their game
In the past, phishers were a sloppy sort -- bad grammar, Nigerian prince money scams, and the like. Now, thanks to things like Artificial Intelligence (AI) and Photoshop, the game has become more sophisticated and convincing.
“Detecting, blocking, and mitigating the risks of phishing attacks is arguably one of the hardest challenges any security team is constantly facing,” Cloudflare’s Alexandra Moraru and Patrick R. Donahue said.
The new phishing tricks
Moraru and Donahue said that the sheer volume of phishing attempts is making life difficult for every security company and even the most vigilant of users are finding it difficult to spot the subtleties that attackers employ to make their emails and websites look the real thing.
Now that the game has changed, what are the wrinkles that people should look for? ConsumerAffairs put that to a panel of cybersecurity sleuths and this is what they shared.
Check the sender's email address: John Wilson, senior fellow of threat research company Fortra suggests that in today's scam environment, we have to take an extra step to make sure an email is real.
"Depending on how you read your email, you might have to touch or hover over the sender's name in order to see the full email address," he said. "Does the part to the right of the "@" sign look right? Was the message sent to you, and only to you? Check the "To" line -- a legitimate communication from a company should only have your email address there."
Another thing to look for in an email address are “look alikes” – instances where a brand’s name is misspelled or abbreviated or has strange characters in the sender’s email address. Using Microsoft as an example, João Tomé at Cloudflare offered these examples: extra or switched letters (microsogft[.]com), omissions (microsft[.]com), or characters that look alike (the letter o and 0, or micr0soft[.]com).
Phishing via Instagram. Sharad Varshney, CEO of OvalEdge said he’s starting to see social media attackers counting on the likelihood that someone isn’t particularly security-savvy, especially younger users. What’s the ploy?
“An attacker sends the person an email in reference to their Instagram account – a picture or a direct message to entice them with language like ‘your account has been hacked,’ or something like ‘we need to verify your account. Send your name, address, phone number and email here,'’” Varshney said.
And once someone takes the bait, a scammer can steal their identity or account credentials to impersonate or blackmail them.
The IRS? Really? Given that Cloudflare’s research showed the climb in IRS impersonations, Emma McGowan, senior writer at Avast, said one thing taxpayers should look for in any email purporting to be from the IRS is the banner at the top which says “an official website of the United States Government.” “If this is missing, it’s very likely that the website is a phishing site,” she warned.
“I’m your boss, so take care of this, please.” Daksh Kapur, Research Scientist at Trellix, said that his threat researchers also found that email/voice phishing scams impersonating CEOs are on the rise, using phrases that any chief executive might use such as:
"I need you to carry out a task for me immediately."
"I need you to get a task done so kindly forward me your cell phone number."
"Send me your phone number, You need to get something done for me right now."
"Please send me your cell number and keep an eye out for my text. I need a task completed."
"Please review and confirm your cellphone number and keep a lookout to my text for instructions."