16 phishing scams that consumers need to be aware of in 2019
Introduction
Scams are as old as human society. There has, and likely always will be, an element of humanity that will try to take advantage of us all. The game of the phishing scam plays out every day in many forms. The digitization of our world only adds more ways the fraudster can use to trick us into handing over our hard-earned money or personal data.
Consumer phishing scams are a global problem. In the U.S., the Federal Trade Commission (FTC) received more than 1.4 million fraud reports in 2018. In 25% of those cases, money was lost, with the total being around $1.48 billion. This is an increase of 38% over 2017. In the UK, CIFAS (national anti-fraud body) collected a record of 305,564 scam reports in 2017.
Two year's worth of NIST-aligned training
Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.
Here we’ll look at 16 consumer phishing scams, but this list is by no means exhaustive. It is also worth noting that scams may be as old as the hills, but the ways and means of scamming folk are always changing. The only way to keep on top of phishing scams is to be security-aware.
16 consumer phishing scams
1. Amazon Prime Day
Scammers get lucky phishing when they chose a topic that gets an automatic reaction. Exciting commercial offers from Amazon Prime Day is a typical brand email template that phishers use.
The Amazon Prime Day phishing scam coincides with the emails sent by the legitimate Amazon company about Prime member offers. The email is commonplace, as it uses a DIY system known as a phishing kit, making it easy for the average fraudster to create a phishing email.
The phishing email contains a PDF attachment. Open the attachment and you are presented with links which, when clicked, take you to a spoof site that looks just like the real Amazon login page. If you then enter your Amazon login credentials, they will be sent to a cybercriminal who will use them to hijack your Amazon account.
2. AppleID scam
Phishing scams use our natural human behavior to get what they want. In the case of the AppleID scam, this behavior is to drive the user to click a link.
The scam uses fear and uncertainty to get this click. The scam email tells the recipient that their Apple account has been locked to protect it against a hacker. To unlock their account, the recipient should click on the link and follow the instructions on the website. This scam often not only steals AppleID login credentials but may also infect the user’s computer with malware.
3. Apple invoice
Brands like Apple have built their reputation with consumers because they create a trusted relationship; it is this trust that phishers rely on. The Apple invoice phishing scam email contains a malware-infected attached purporting to be an invoice from iTunes or Apple. If the recipient clicks to open the invoice, their computer may become infected with the malware.
4. Sextortion
Earlier this year, the FBI announced that cases of “sextortion” were on the rise (no pun intended). Sextortion emails can be a shock for anyone who receives them, as they are a form of blackmail. The phishing email typically informs the recipient they have been “caught in a compromising position” whilst watching pornography. The email goes on to say that unless the recipient pays X amount in Bitcoin within X days, a video of the recipient in the compromising position will be sent to their family and friends.
The sender may also add weight to the extortion by displaying a genuine password that was used by the recipient at some point. The password will have been part of an earlier data breach.
5. Tax scams
When tax season comes around, tax scams abound. Both voice phishing (vishing) and traditional email phishing are used in the tax phishing scam.
In the vishing version, callers will impersonate tax office staff. For example, the IRS in the U.S. or HMRC in the U.K. The calls can be intimidating and threatening, stating that tax is unpaid, and jail awaits unless you pay immediately. The email version may be quite the opposite, stating that the recipient has a tax refund and to claim, just click this link and fill in your details. The data will then, of course, be stolen.
6. Romance scam
This is another phishing scam based on trust. Social engineering pulls at the very heart of our humanness in the romance scam. The scam usually starts on a dating app or website but can begin as a casual contact on a social media site.
The scammer will form an online relationship with the target, showing great emotion early on. Eventually, when the victim seems hooked, the fraudster will ask for money or a similar gift. Emotional pleas such as an ill relative or similar will be used to guilt the victim, who now has an emotional attachment, out of money or other items.
7. Social money mule scam
This is another growing problem that tends to be a social media-based scam. This scam attempts to get a target to share their bank account details for money. Many would think, would anyone actually do that? Well, they do, in droves.
In December of 2018, Europol made 168 arrests of perpetrators of the scam. The scam is often based off sites like Instagram, where fraudsters post up hashtags such as #instantcash. If someone bites, they will be lured into making a quick few hundred dollars if they allow the fraudster to move money through the target’s bank account.
8. Shopping coupon scam
This uses the brand of a well-known shopping chain in the country of the people it is targeting. The scam goes like this. A person receives an email that looks exactly like the shop brand. The email will contain a message to click on this link to activate a coupon for free vouchers/coupons. There may be a sense of urgency, such as a limited-time offer.
Once clicked, the link will go to a spoof site to collect personal details, often also log in credentials of the online version of the shop. Sometimes, this spoof site may also result in a malware download to the shopper’s computer.
9. Air ticket scam
These phishing scams are popular around vacation time. They use a well-known airways brand to carry out the phishing exercise. Usually, an email will contain a message such as “Thank you for booking with Brand Airways. We have received your booking under (reference number).” Then a link to check the booking is correct. If the link is clicked, the user will be taken to a spoof site which will harvest personal details on behalf of the cybercriminal behind the scam.
10. Favorite TV show scam
Fraudsters often use events to maximize the uptake of a phishing scam or to infect a computer with malware.
This was the case when the final season of Game of Thrones was released. Fans of the show who didn’t want to pay to view turned to pirated versions of the show, often advertised via phishing scams. It was these illegal versions of GOT, and other shows, that were used to infect fans computers with malware. Kaspersky found that globally, in 2018, 126,340 users were infected with malware via illegal TV show downloads.
11. FedEx scam
This is a classic in the world of email phishing. Big-name brands, including Amazon and Netflix, are regularly in the top ten favorite brands of fraudsters. FedEx is also a favorite.
The FedEx phishing scam is like many others. It uses urgency and FOMO, such as “click here to see information of a confidential nature” or that FedEx is holding your ATM card and you must arrange payment immediately or lose your card. All have the result of either stealing personal data or infecting a computer with malware.
12. Bank SMiShing scams
The open rate for a text message is around 98%, whereas the rate is more like 20% for an email. SMiShing is, therefore, a good option for a fraudster.
Bank SMiShing is a popular way for scammers to get malware, like a banking Trojan, onto the mobile phone of a user. The victim receives a SMiShing text which looks like it is from their bank. The message contains a link; if they click on it, they are taken to the infected website and the malware package can then be installed.
13. Supermarket WhatsApp scam
The supermarket WhatsApp scam is similar to the email phishing scam using supermarket vouchers/coupons. However, the conduit for the scam is a WhatsApp message rather than an email. The end result is that victims are taken to a spoof site where personal details, including financial information, are harvested for fraudsters.
An interesting aspect of a recent supermarket WhatsApp scam was how well disguised the URL was. The supermarket was the European “Aldi” chain. The URL used by the scammer used a Latin ḍ instead of a d in the aldi.com URL.
14. Medicare vishing scam
In 2018, the FTC had 535,417 impostor scam reports. The Medicare scams used vishing, a phone-based phishing scam. The purpose to obtain money or Medicare personal or banking information. The scam theme varies around offering new policies, medical equipment or services like DNA testing for cancer.
15. Immigration scams
Like a number of scams, this is a vishing scam. The target individual receives a call from someone pretending to be an employee of the department of immigration. This has been an issue in Canada, for example, where fraudsters have pretended to be from the “Refugees and Citizenship Canada (IRCC) department.” The victim is told they have not completed important immigration forms and unless they pay an immediate fee, they face deportation.
16. Prize scams
You will have noticed a theme if you’ve read through our list — fraudsters love to base a scam around an event or activity. Prize scams come in all shapes, but in a typical prize scam, the target will receive an email telling them about an amazing win of $$$. However, to get at the money the target will have to pay a “processing fee” or “shipping and handling charges” or similar, to get at the money.
6 tips to avoid consumer-focused phishing scams
There are many variants of the phishing scam that target consumers. However, there are also a few ways to deal with such scams. Here are a few tips to use and pass on to others to help prevent you becoming a victim of a phishing scam:
1. Report the scam
It is always worthwhile reporting the scam to the brand that is being spoofed. They can then potentially deal with the issue by addressing the scam source (if they can locate the cybercriminal (s) behind it) or have spoof sites associated with the scam closed down.
If the scam happens in the workplace, immediately inform your line manager or someone from the IT department.
2. Be security-aware
Take a security awareness training course or encourage your workplace to provide security awareness training. This will not only help you as a consumer to spot the tell-tale signs of phishing, but it can also help avoid a phishing incident in the workplace.
3. Do not click links or download attachments in suspicious emails
Be absolutely sure before you click a link or download an attachment that the received email is safe.
4. Keep patched and up-to-date
If you do click on a malicious link or download an infected attachment, there is a lower chance of malware infection if your computer is running the latest security patches.
5. Be extremely cautious about entering personal data into websites
Some phishing scams try to trick you into entering login details for an account. Always navigate directly to a website by typing the URL into the browser.
6. Use antivirus software
Antivirus software plays a useful role when used alongside other techniques such as being aware of the tricks used in phishing campaigns.
Conclusion
Phishing scams are not too dissimilar to the tried and tested scams of old. They rely on using trust, fear of missing out, concern over security or a financial gain to trick users into performing an action. This action will ultimately result in the loss of personal data, login credentials or money.
The best way to deal with a scam is to avoid becoming a victim of one. And the only way to navigate through the mire of fraud that is thrown our way every day is to be security-aware and know how phishing scams work.
Phishing simulations & training
Sources
- The top frauds of 2018, Federal Trade Commission
- Fraudulent conduct decreases overall – but worrying rises in some areas, CIFAS
- FBI, This Week: Sextortion Reports on the Rise, FBI
- OVER 1500 MONEY MULES IDENTIFIED IN WORLDWIDE MONEY LAUNDERING STING, Europol
- Game of Threats, Kaspersky
- ROI Showdown: SMS Marketing vs. Email Marketing, Campaign Monitor
- Imposter Scams Top Complaints Made to FTC in 2018, Federal Trade Commission