Scammers around the world are constantly pushing out deceptive scams in an attempt to steal money or information from innocent individuals. They will find any way that they can to hack into your system. Phishing and spoofing are two very common techniques that these bad actors use to trick their victims into handing over sensitive information. Phishing scams are a form of social engineering that often utilize fraudulent emails or other forms of communication that are disguised as legitimate emails from reputable companies. They use their victim’s trust in that reputable company in order to trick them into revealing sensitive information or installing malware onto their devices. Falling victim to a phishing scam could mean serious consequences for you and your business. Similarly, spoofing describes the act of disguising a malicious email, website, phone calls, IP address, etc. as a legitimate one. In both of these scenarios, fraudsters will pretend to be someone or something else in order to use their victim’s trust to extract information from them like usernames and passwords, banking information, credit card numbers, social security numbers, and much more. Here are some of the most common kinds of phishing and spoofing.
Email Phishing
Email phishing is one of the most common forms of phishing. Using this method, scammers will send illegitimate emails to users that appear to be from a known, reputable source. This source could range from a popular company to a relative to a coworker. They usually will include compromised links, attachments, or images within the content of the email, and attempt to create some urgency around clicking on them. Once the user takes the bait, they may be directed to malicious websites that the scammer will use to either steal their sensitive information or install malware onto their device. Sometimes, too, a scammer won’t necessarily include a compromised link in their email, but will instead prompt their victim to simply reply with the information they want. Once the scammer gets ahold of your info, they could use it to engage in criminal activities like identity theft, stealing money, or even selling your information to the dark web. In any case, these scams are often cleverly disguised, though there are certain things that one could look for in order to identify them.
Phishing emails often include a flashy subject line that will grab your attention. Check out this article from KnowBe4 to see some subject lines that have been most commonly seen and used.
Some of the most common types of phishing scam emails are fake invoices, email account upgrades, advance-fees, Google Doc sharing, PayPal notifications, messages from HR, etc. For example, a hacker might send you a fraudulent invoice from a company claiming that you owe them money and will give you banking details on where to send it. In other emails, they may ask you to log in to your Google or Microsoft account, and therefore intercept your login info.
The first step in preventing email phishing attacks is to be cautious and aware. Don’t respond to emails, click on links, images, or attachments, or download anything onto your device unless you are sure that the source is legitimate. Additionally, never hand out personal information to anyone that you can’t verify their intentions. If you are ever unsure, try sending a separate email to or calling the person or organization that the suspicious email supposedly originated from to inquire about the content of the email. They will be able to tell you whether they actually sent it or not. You can also examine the email itself. Look for any misspellings or other inaccuracies within the sender’s email address and the email content.
Vishing
Vishing is a type of phishing scam that occurs over the phone. Scammers will use the same types of social engineering tactics as mentioned earlier in order to trick you into giving them your sensitive information. During these calls, the scammer may pretend to be a trusted source like a relative, doctor, bank representative, or even a government agency like the IRS. Unprompted phone calls from a company that you may be involved with claiming that an account of yours has been compromised or that you owe them money may be a sign of a scam.
One type of common vishing scam is known as the family emergency scam or grandparent scam. This happens when an older adult is called by a scammer that is pretending to be a relative in need of help. The scammer will say that they need money in order to get out of some sort of trouble, effectively stealing from vulnerable elderly individuals who care about their families.
If you ever receive a suspicious call, hang up and don’t give out any personal information. You can try calling the supposed caller back using a verified phone number to see if it was really them.
Smishing
Smishing, short for SMS phishing, is a type of scam in which the bad actor will use short message services to deceive their victims. Just like email phishing, these messages will usually contain malicious links or prompt the recipient to reply with sensitive information. The messages will request that you take some sort of action for some illegitimate reason.
Some common smishing scams include fake order or account confirmations, urgent messages about financial situations, customer support messages, gift cards or prize money winnings, etc. For example, a scammer might message someone informing them that they have won a certain amount of money. Then, when trying to get a hold of their prize, the scammer will steal their information.
Similar actions can be taken to prevent smishing as email phishing and vishing. Try to avoid opening links from or sending information to unknown or unverified senders.
Angler Phishing
Angler phishing is a type of cyberattack that is similar to vishing and smishing, but instead of over the phone or through text messages, scammers will send their fraudulent messages via the direct messaging feature on a social media platform. They might pretend to be a customer service agent for a reputable company using a fake social media account in order to eventually steal your personal information. Sometimes these scammers will contact customers who have made complaints about a certain company on social media. They will often offer links for the person to follow to ‘fix their problem,’ but that link is infected with malware or leads them to a site that will steal their information.
Be wary of responding to supposed customer service accounts on social media, especially if you cannot verify that they are associated with the real company. If you feel that the account is suspicious, report it as a fraudulent account. You can also contact the company using another form of communication and ask whether or not the account is real. Don’t click any links that may be sent to you in a direct message, no matter how real they look.
Social Media Phishing
Similar to angler phishing, a social media phishing attack uses the direct messaging feature of a social media app. These attacks have the same goal as the others: get the victim to click on a malicious link or reply with sensitive information. In these attacks, a scammer might send a message to their victim claiming to be from a certain company or brand and ask them to be a brand ambassador.
Social media phishing often looks very similar to smishing. Some unique ones to social media, however, include fake job messages on LinkedIn, asking a person to be an ambassador for a brand, and online strangers asking to get involved in an intimate relationship.
Look out for typos and unverified accounts. If you receive a DM from a suspicious account, delete the message, report the sender, and block them.
Spear Phishing
Spear phishing is a targeted form of email phishing in which a cybercriminal will impersonate a trusted source. Unlike some other forms of phishing, spear phishing targets specific individuals. Scammers will use information that they have gathered about a specific person or organization in order to target individuals related to them. They will use real names, job types, and/or phone numbers in order to impersonate a trusted person. Since these emails often appear to be from an individual within or related to a company, victims will believe they are real.
One common example of spear phishing is fake invoicing. A hacker will intercept an email communication between two sources about invoicing, then reply back using an email address that appears to be from the trusted person claiming that their banking information has changed and to send money to a different destination. Other spear phishing attacks include client impersonation, CEO fraud, and coworker impersonation.
Spear phishing attacks, although extremely deceptive, can be avoided. It is important to always double check the validity of a sender’s email address before taking any action related to the email. You may be able to identify these emails by looking out for abnormal content, as well as shared drive links or password protected documents that may be compromised.
Whaling
Another type of phishing scam is called whaling, also known as whale phishing and CEO fraud. In this form of phishing, scammers will find out the name of a company’s CEO or another employee with authority, then impersonate them using a similar email address to that person’s real email address. This scam is similar to spear phishing, but it targets a specific employee that has power within a company. In the fraudulent email, the scammer might ask for money or share a document with the recipient.
Make sure to stay vigilant. These scams, like the others, can be tricky to spot. Look out for any abnormal requests and examine the sender’s email address carefully for any misspellings or an incorrect domain. Reach out to the coworker that the email supposedly came from via a trusted method and ask if they sent the suspicious email.
Clone Phishing
Clone Phishing is a type of phishing attack in which the scammer replicates a legitimate email that was sent to you. In this duplicate email, the scammer will sneak in a malicious link or attachment. Some emails may even state that they are resending the email for various purposes to alleviate any suspicion that may arise from the copycat email. Usually, the replicated email will come from an email address that is similar to but not quite the same as the original sender’s email address. Like the others, these scammers are using deception to try to trick you into clicking a malicious link or replying with sensitive information.
To prevent these attacks, beware of emails that appear to have been sent twice. Double check the email address that the email came from and, again, contact the person who it was supposed to have come from through a separate method of communication to verify its legitimacy. Also, if the email asks for information that the supposed sender wouldn’t need or hasn’t needed before, that may be a sign of a scam.
Pop-Up Phishing
Pop-up phishing is a type of scam in which a scammer utilizes pop-ups or fraudulent ads to trick users into downloading malware onto their device. These phishing attacks commonly use scare tactics like fake virus alerts to deceive the recipient into clicking on a malicious link. Newer versions of pop-up phishing are taking advantage of web browsers’ notifications features, sending pop-ups asking the user if they would like to allow a certain website to send them notifications. When the user clicks allow, malware will be downloaded onto their device.
Some common examples of pop-up phishing alerts include fake “ransomware detected” pop-ups, “AppleCare renewal” pop-ups, and pop-ups claiming to have been sent by law enforcement or Microsoft.
Look out for spelling errors, abnormal color schemes, or anything else suspicious in websites and pop-ups that might occur. You may also want to consider enabling a pop-up blocker that will prevent these pop-ups from happening in the first place.
Evil Twin Phishing
Evil twin phishing is a type of cyberattack that is designed to steal your information through a fake Wi-Fi network. These fraudulent networks are often disguised as legitimate ones, and they may have the ability to intercept data from your device if connected.
Evil twin phishing may be used to perpetrate man-in-the-middle (MITM)/eavesdropping attacks as well. MITM attacks occur when communications between two parties are intercepted. The scammer will place themselves between the two victims and relay or alter communications between these two parties without them knowing. This way, these scammers can steal their information, spy on them, sabotage their conversations, etc. without prompting any suspicion. The two parties still believe that they are communicating with each other, but the entire conversation is actually being controlled by the hacker.
Be on the look out for any signs of a fake Wi-Fi network. If a hotspot triggers the “unsecure network” warning on your device, that might be a sign of a scam. Also, any hotspot that requires a login that normally does not or wouldn’t require one should be considered suspicious.
Search Engine Phishing
Search engine phishing, also known as SEO poisoning, involves a scammer attracting users using fake product pages. These scammers will boost their fraudulent page to the top of someone’s search results in order to lead them to a spoofed website. Whenever the user tries to buy a product from the fraudulent page, they accidentally hand over their payment information to the scammer.
Try to avoid giving your payment information out to websites that aren’t trusted, reputable vendors. These sites often display huge discounts, giveaways, employment opportunities, or other too-good-to-be-true type messaging, which can make them easy to spot. Be cautious of websites that list copycat products for unreasonably cheap prices.
The tactics described above are just a few of the endless possibilities when it comes to phishing scams, so it is important to always stay educated, aware, and cautious when it comes to interacting with people and other things online. At Blue Oak, we can help you put some virtual shields in place to protect you and your company from scams like these. We offer services like anti-malware/ransomware, spam filtering, anti-virus protection, DNS filtering, and many more that will keep you safe and secure. And, in the unfortunate event of a successful cyberattack, we will be able to help clean up that mess. Most people don’t realize the importance of online protection until they need it- so, get started now!
Read our last post here: Risks and Scams Using AI
