Phishing scams are nothing new -- but they are constantly evolving. It seems there are fresh and increasingly effective emails floating around every week (including the examples below).
Phishing is, for the most part, a numbers game. Phishers send out hundreds of thousands or millions of emails in the hopes that even 0.1 percent of people will open them and click on links that will either direct them to submit personal information on a sham website or download viruses onto their computers.
Most of the time, these massive mailings will go to some proportion of disused email addresses -- a gamble attackers just have to take. But the Anthem and Target hacks released tens of millions of verified email addresses, which phishers are using with abandon.
“In general, dictionary-style (e.g., using lists of firstname.lastname@example.org) spamming is less prevalent these days than in the past,” according to Gary Davis, vice president of global consumer marketing (a.k.a. Chief Consumer Security Evangelist) for McAfee, part of Intel Security. “There are typically enough sources of valid email addresses -- compromises, social media, affiliate marketing, etc. -- that the behavior of blindly spamming in high volumes has been, for the most part, replaced with more accurate recipient lists.”
And that puts the numbers in phishers’ favor, according to cybersecurity expert Chris Hadnagy, whose book on the subject, “Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails,” comes out April 6.
“The success ratio of an attacker is limited by the amount of good emails he has,” said Hadnagy, CEO of Social Engineer, a white hat firm that companies hire to find vulnerabilities in their networks. “If you go to dark web and buy a list with 100,000 email addresses, you might get a 30 to 40 percent ratio that are bad. When a breach like Anthem happens, we know that all of those emails are legitimate because they were in a healthcare database. I now know that that 100,000-email list is legitimate.”
Those email addresses also come with the names associated with them, which phishers can easily use to make their fake emails even more convincing.
That’s not all. With a little digital elbow grease, attackers can go digging on your social media pages to extract useful details that will help them tailor emails you’ll be more likely to fall for. That can include mining updates from your Facebook page, geolocation tags from your Instagram photos and even your browser history from that hour you spent on the Starbucks Wi-Fi network, and inserting meaningful details into the emails they send you.
This targeted approach is called spear phishing, and while it has typically been reserved for high profile, high-net-worth targets like CEOs and government officials, the practice has begun to trickle down the ranks. “Since it’s so easy for the bad actors to get the information needed to spear phish, anyone can be a victim,” said Davis.
Still, it’s easier for phishers to play the numbers. If they send a million people an email purporting to be from, say, Chase Bank, there’s a good chance some of those people will be Chase Bank customers who will be fooled into clicking.
It’s good practice to hover over links to make sure they look legitimate before clicking -- or better yet, don’t click on any email links. Phishing emails can often be spotted because they come from suspicious-looking email addresses or by their bad grammar and spelling. But Hadnagy pointed out that there are now people on the dark web offering copy-editing services to make scam emails sound more believable.
He said that lately he has been seeing a lot of emails disguised as document download notices from Dropbox, the file saving and sharing site. The email is even linked to a real Dropbox account. Clicking on the link to download dumps an “attachment full of malware” onto your computer.
He is also seeing fake emails from ADP, which many businesses use for invoicing and payroll services.
And as we approach tax day, everyone should be on the lookout for emails that appear to be from the IRS, which CBS News reported on in February. The IRS says it “does not initiate contact with taxpayers by email to request personal or financial information.”
Here are a few other examples that Hadnagy and Davis said have been cropping up in inboxes lately: