This guest blog was contributed by Monnia Deng, Bolster. There are countless phishing scams targeting organizations today, and each tactic deployed affects organizations differently in how they respond and recover from an incident. We are currently experiencing a record-breaking number of phishing attacks within every industry, and the tactics used by cybercriminals have become increasingly complex. The most common phishing scams identified include:
Social media phishing
Business Email Compromise (BEC) phishing
Non-Fungible Tokens (NFT) scams
While processes in tactics differ, each scam possesses the goal of gathering valuable data, credentials, and funds.
• Typosquatting: One of the top phishing scam tactics is email phishing that contains malicious content or suspicious URLs. Attackers are able to accomplish this by utilizing typosquatting/look-alike domains from the company to trick other company employees. When sending out emails, the attacker will include what appears to be legitimate company documents, but contain malicious macros or malware. In addition, attackers will also send emails with links to malicious content that are stored at the typosquatting/look-alike domain of the company. If the employees rules and filters don’t catch the attackers emails, they are at risk of complying with the attackers request and granting access to the companies servers and documents.
• Smishing: Unsolicited phone calls to employees from scammers attempting to impersonate an organization a company is working with is a traditional form of smishing. A few of the many types of scams that fall within this category of vishing include bank scams, IRS scams, and scammers pretending to be tech support to get ahold of company equipment where data is stored. Regardless of the tactics chosen to deploy, their end goal is to harvest company data and benefit from financial gain.
• Social Media Phishing: With the rise in social media platforms, social media phishing is one of the most common scams we are experiencing today. Due to the array of platforms available, social media phishing scams can take form in many ways. However, the most common types are lottery and gift card scams, impersonating executives, account hacking, crypto investment scams, texting scams, hidden or shortened URLs, pirated goods, and online quizzes. As each platform obtains a different set of regulations, it has become tedious for IT security teams to manage and successfully take down fraudulent websites and activities.
• Business Email Compromise (BEC) Scams: Similar to whale phishing, BEC scams are direct attacks on company executives, specifically employees responsible for transferring company funds. Scammers will create typosquatting domains and submit payment requests to company employees to gather funds. These types of BEC scams can be identified through CEO fraud, fake invoices, account compromise, attorney impersonation, and data theft. More often than not, scammers are successful with this tactic, as they can bypass spam and virus protection systems due to the lack of links and attachments in emails.
• Non-Fungible Tokens (NFT) Scams: The stakes are high in NFTs as it deals with buying, selling, and transferring funds. Therefore, scammers are aware they also need to raise the bar in their scam tactics to be successful. Fake websites that mimic replica stores with little to no differences have been identified as a way to trick NFT enthusiasts. More often than not, scammers are successful in the extraction of users' credit card information. In addition, another standard method scammers have adapted is utilizing giveaways to impersonate popular cryptos and brands claiming to give out free crypto/NFT tokens.
While Typosquatting, smishing, social media phishing, BEC, and NFT scams have been identified as some of the top phishing scam tactics, there are still many scams to look out for as scammers continue to try to get ahead of the curve in their phishing efforts.