Cyber Security Blog

Stay ahead of the curve with industry trends, cutting edge tech and inventive strategies.

Hook, line and sinker: Would you fall for these phishing scams?


As the virus began to ravage the world in March this year, there was a sharp increase in the prevalence of phishing attacks. Unfortunately, the Covid19 pandemic provided new opportunities to exploit hardworking tax-payers. According to Google, phishing scams rose by a whopping 350% in April. Although many of these scams focussed on providing fake Covid19 information from Government bodies, there was also a considerable increase in attacks targeting the surge in online shoppers.

When non-essential shops were forced to closed their doors, there was a sustained shift towards online shopping. Figures showed that online shopping rose by 52% in August, in comparison to an 11.6% rise in the same month of 2019. It is clear that the virus has had a noticeable impact on our shopping habits. According to Mcafee, 80% of Brit’s purchase goods online at least once a week and  11%  once a day during lockdown. Whilst being able to order anything ranging from groceries to a new lawnmower is convenient, it also presents ample opportunity for hackers to scam consumers.


Don’t become the ‘catch of the day’ this Black Friday

With virus rates setting new infection records each day in November, Black Friday will be a very different affair this year. Instead of tackling the frantic crowds desperate to grab a few festive bargains, consumers must be wary of the barrage of online scams.

According to industry intelligence, people looking for items such as games consoles, bikes, clothing, DIY and homeware purchases are more likely to encounter a Black Friday scam. Bad actors are impersonating trusted brands such as Amazon, in order to lure shoppers into purchasing impossibly cheap products.  Unfortunately, social media platforms are increasingly being used by hackers to carry out these ‘click-bait’ purchase scams.


The trade association are encouraging shoppers to follow the advice of the Take Five To Stop Fraud campaign, which promotes the slogan: ‘stop, challenge and protect’.  The aim of this is to promote scam awareness and reduce the amount of people falling victim to fraud.

Would you fall for these scams?
Phishing attacks are becoming more complex and targeted. Although their basic aim remains the same, they are no longer confined to email attacks only. Hackers use a range of mediums including phone calls, SMS and targeted social engineering. Before reaching out, these criminal enterprises take the time learn about their target. This helps to build trust and increases the chance of duping their victims. Subsequently, as these hackers continue to hone their craft, their scams become more difficult to identify.
 
Here are some of the key phishing scams of 2020:
  • Amazon scams: Amazon is one of the most common brands used for Black Friday scams, as they hold around 26% of the Black Friday market. A recent scam involving Amazon Prime has already stolen over £400,000 from online consumers. This begins with a victim receiving a call which claims they have been charged for an Amazon Prime subscription, they are then connected to a fraudster masquerading as as an Amazon customer service worker. The criminal tries to convince the victim that they need to gain remote access to their laptop to fix the issue, once they have access they are able to take control of the device and harvest personal financial details.
  • Paypal scams: PayPal is another common brand used for phishing scams. A recent phishing scam involving PayPal states “your account has been limited” or your “account has been suspended due to suspicious activity”. This is closely followed by a malicious link which directs you to a phishing site asking for personal details. If you do receive this email, do not reply or click on any links, forward the email to spoof@paypal.com so that they can help to shut down the scam site.
  • American Express: Using well known banks and credit card brands for phishing scams is nothing new. Although the logo in this scam is distorted, if the recipient had a momentary lapse of judgement and failed to check the email address, they may be tricked into clicking on the faux-link. These scams prey on fear, uncertainty and doubt, hoping that it will trigger a knee-jerk reaction which the victim will later regret.

  • Posing as an unhappy customer: Most businesses want to ensure that customer complaints are dealt with in a timely manner. This phishing scam is certainly effective in terms of creating a sense of panic and urgency. It is easier for hackers to pose as a customer, as they may not be sending from a business domain. The obvious sign of ‘sender’ and ‘from’ fields not matching may not apply. Diligent accounts or customer service teams could easily fall foul to these scams.
  • Push payment scam– Here at Equilibrium, we have been approached by numerous companies who have fallen victim to authorised push payment attacks. These involve businesses knowingly transferring funds to an account belonging to a scammer. These attacks are often months in the making. Hackers take time to understand the inner hierarchy of a business, in order to have a higher chance of a successful transfer. They may pose as a trusted supplier and put pressure on accounts teams to make a quick payment. Unfortunately these attacks can often be highly convincing and businesses willingly lose thousands of pounds.
  • CEO phishing attacks- These attacks involve scammers posing as a CEO or MD. A common method is to send an attachment which details a pay rise, or the end of financial year figures. These scams are even more effective if bad actors are able to spoof your company domain. Unless you have DMARC configured correctly, domain spoofing attacks are worryingly easy to execute

How to reduce the risk of falling victim to phishing attacks

To protect your business against phishing attacks, it is important to promote a culture which is built around strong Cyber Security protocols. Your employees need to be regularly trained to recognise key fraudulent tactics and suspicious emails. Although phishing attacks are not always easy to spot, staff should be suspicious of psychological methods which provokes a state of fear or urgency. They also need to be cautious before opening email attachments, downloading software or clicking on links in emails.

Regular phishing simulation tests are a good way to test scam awareness. It is a chance to identify your security weaknesses and test the effectiveness of your employee training in a real-life scenario. Social engineering penetration tests can be conducted in the form of a simulated phishing attack, an onsite access assessment or a combination of both. Call us on 0121 663 0055 if you would like to discuss strengthening your security posture.

Ready to achieve your security goals? We’re at your service.

Whether you are a CISO, an IT Director or a business owner, Equilibrium has the
expertise to help you shape and deliver your security strategy.

Latest posts