3 phishing attacks to watch out for

The reason phishing attacks remain popular is they’re extremely effective. The best ones can go nearly undetected and can cause devastating damage to companies. Here are three active attacks you’ll want to keep an eye on – and make sure your users are aware of.

Phishing attack 1: Holiday shopping


The biggest IT problem with the holiday season used to be users wasting time at work shopping online. But today the threat is much greater than that.

Hackers are taking advantage of the popularity of online shopping this time of year. They’re sending out emails disguised as receipts from Amazon, eBay and other online retailers.

And unlike lots of fake messages, these aren’t always easy to distinguish from the real thing. Troy Gill, a senior security analyst at AppRiver, is impressed by the seeming authenticity of the messages. He observed that many users try to remove them from their spam folders because they actually appear to be authentic:

“Even to me, as a trained professional, seeing these all the time, some look identical to the ones you get from the actual vendor. However, I don’t think any common transactions from Amazon would ever have attachments at all.”

Other common disguises for phishing attacks this time of year include failed package delivery notices from FedEx, UPS or the postal service. It wouldn’t be surprising to users that a package would be delivered, so they might just enter some information to verify it.

Security takeaway: Remind users that receipts, banking information and other sensitive materials would never come in the form of a Word or PDF attachment. If they get a message that appears to be from a legitimate source, they should log into their account in a separate browser window and check for notifications there. That’s where companies would actually post the information.

Phishing attack 2: No more creating sites

According to a recent Google report, some well-designed phishing attacks have a 45% effectiveness rate at stealing persona information. That’s astonishingly high.

Part of the reason these attacks are so effective is that they are well-crafted. Great time and effort is put into making the sites look just as legitimate as the real thing.

But TrendMicro has recently discovered a phishing attack that doesn’t need to create fake pages at all. Instead, hackers create a relay page that users are tricked into opening. From this relay page, they browse the actual, legitimate site as usual.

It’s only when they go to check out their purchases that they’re sent to a malicious copy of the checkout page that collects their account information.

Without needing to create similar looking sites, one of the most labor-intensive parts of the phishing process is taken away – along with the easiest way to detect it’s a forgery, design mistakes. Everything looks legitimate, and users likely won’t realize they’ve been had until their information is gone.

The icing on the cake: Users even get an automatically generated confirmation email of their purchases (which will never actually arrive).

Security takeaway: While these attacks may not have made their way stateside yet, be on the lookout. If they show promise, they’re bound to be used here sooner than later.

Phishing attack 3: Preying on instincts

One final attack to be on the lookout for: the opportunistic ones meant to cash in on users’ fears and sense of compassion.

In the most recent case, that means Ebola phishing scams. It started as fake news stories meant to prey upon users’ fears and offers of medications or other “beneficial” services.

Now, attackers are moving on to another basic emotion, sympathy. They’re setting up fake charitable organizations or soliciting donations for real ones that will never reach the intended charity.

Security takeaway: Using current events to fool users into giving up information is nothing new. Make sure they know that they should only give directly to trusted organizations and realize that in the wake of any disaster or tragedy, there are bound to be scammers looking to cash in.