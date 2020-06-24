Phishing attacks have grown increasingly more sophisticated over the years. Usually targeting us on emails, sometimes via text messages, they attempt to lure users in to providing painful and sensitive data, making payments, opening backdoors for malware, or handing over credentials, knowingly or maybe not.

The most basic and easily-recognizable attempts follow a scenario where an individual, frequently from somewhere distant enough not be contactable personally, has enter into money, and needs some body (you) to simply help manage it for a chunk. While these kinds of scams are an easy task to spot for most of us – they’re usually badly written and therefore are far too good to be true – as data payloads continue steadily to get richer, cyber attackers are getting smarter inside their approaches. They are scraping LinkedIn to disguise themselves as company CEOs or finance chiefs and distinguishing individual targets within companies based on freely available information. They are leveraging individuals’ anxiety and distractedness around current events, like the coronavirus; Google said it was blocking more than 100 million phishing emails a day at the height of the pandemic, with almost a fifth were scam emails related to herpes.

In 2019, the typical breach cost US companies US$73,000, and that’s not forgetting the cost of reputational damage because of this. The ransomware that takes even the mightiest of metal manufacturers offline for days or weeks, can generally be traced back again to a careless click of a link within an email. Security software, automatic updates, multi-factor authentication can all help combat the reality that phishing campaigns hit their target, but with 90% of data breaches tracked by human error, the key defence mechanism must be our very own vigilance.

But that’s especially difficult when the warning flags we’re told to look out for constantly change. A brand new scam targeting Wells Fargo clients demonstrates the evermore creative approaches cyberattackers are turning to. And with customers of the financial institution representing one in three American house holds, it demonstrates that even scattergun approaches are becoming harder to catch.

Some 15,000 customers people multinational financial services giant Wells Fargo – which employs more than 260,000 employees across 7,400 locations globally – were targeted by a phishing campaign impersonating the Wells Fargo Security, luring victims into phishing pages with calendar invites.

According to researchers at Abnormal Security, messages include .ics calendar file attachments containing events directing the recipients to phishing pages. The messages claimed customers must update their security keys using the directions included in the calendar attachment, or have their accounts suspended. On a fake Wells Fargo page, users are prompted to enter painful and sensitive information such as for instance username, password, pin and account number.

The scam is very clever because it encourages users to open the message on a smartphone, where in actuality the .ics file can automatically be put into their calendar. The victim subsequently receives a calendar event notification from their trusted app, which they are more prone to click. If the user falls for the scam and submits each of their details, the attackers could have all the information they have to take control of targets’ accounts, steal their identity and money. Not a poor day’s work.

Last year, scammers targeted Google search results, luring in victims’ curiosity with official Google links. Phishers sent emails to targets including Google search redirection links, and if they clicked on the link in the Google search results they’d land on the attacker’s website. Another sophisticated attack included a phishing campaign that used a man-in-the-middle (MitM) component to capture company-specific information like logos, banners, text and back ground images to produce incredibly realistic sign-in pages – the only real give away was the URL.

Another clever scam from this past year saw phishers using malicious customers 404 pages to serve phishing sites. 404 pages tell users when they’ve hit a broken or dead link. Targeting Microsoft, the attackers included links that pointed to non-existent pages, and when Microsoft security systems scanned the web link, they’d get the 404 error and deem the link safe.

But if a real user accessed the same URL, the phishing site would detect an individual and redirect them to an actual phishing page, rather than the server’s 404 error page.

As phishing scams continue to change shape, they’ll more easily slip through the net: “These type of email attacks only highlight the ingenuity of attackers and emphasises to all of us the need to be aware and pay attention to contents of all emails, if it doesn’t read right or you’re asked to do something you wouldn’t normally do or have done before then don’t click on anything or follow their instructions – seek advice from your IT department or security team,” said Jamie Ahktar, co-founder and CEO at CyberSmart.