Phishing schemes are still one of the most serious threats to companies. Even internet giants like Google and Facebook got duped out of $100 million through an email phishing scheme when a hacker impersonated a computer-parts vendor.
According to the FBI, criminals made off with at least $676 million last year thanks to so-called business email compromise campaigns, which are attacks designed to trick company executives or accounting departments into sending money to fake vendors.
One reason email scams work so well is because everyone uses email, says Patrick Peterson, the founder and CEO of Agari, an email security company based in San Mateo, California. "Email's original sin is this: Anyone can send anything to anybody and there's no way to see if the link, or the attached spreadsheet, is malicious," he says.
Criminals continue to be successful, the thinking goes, because phishing attacks are simple, low-tech, and exploit weaknesses in human nature. We intrinsically want to open messages addressed to us and click on buttons. We have FOMO on once-in-a-lifetime opportunities. And we get scared by threats.
As criminals adapt their techniques, you (and your employees) should be aware of the scams du jour. Here are some of the most popular phishing attacks happening today.
1. World Cup and vacation rentals.
As the best soccer players around the globe face off during the World Cup in Russia, fans dream about finding affordable tickets. This summer, according to the Federal Trade Commission, scammers are duping fans with phishing emails that include enticing, but totally fake, free trips to Moscow.
"Ignore any email that claims you've won World Cup tickets or a lottery prize to attend the Cup," the FTC posted on its website last week. "The offer may seem promising, but the truth is, scammers are simply phishing for your personal information. Never open files or click on links sent by strangers. And never pay a fee to claim a prize."
The FTC also warns that vacation rental scams, especially during the Fourth of July and throughout the summer, are rising. Some scammers will target a landlord who is advertising a listing, take over their email account, and replace the email address on rental property ads with their own email. These listings usually offer a fancy home at a below market price and might ask for payment via a prepaid debit card or gift card.
2. Account takeover.
Agari's Peterson notes that while business email compromise makes up almost 50 percent of the $1.4 billion in total losses from internet crime tracked by the FBI, there's a new rising threat: account takeover attacks. That's when a hacker will infiltrate your email account and get to know who you are and what kinds of business you conduct.
Peterson says his customers report a 126 percent increase in email account takeover attacks. These attacks are low volume and slow, but have a high impact. Since last year, hackers have been targeting real estate agents and stealing wire transfers for house sales.
At a recent conference, "we had two title company executives who said they are seeing it every day," he says. "People are wiring hundreds of thousands of dollars. This attack is driving huge losses."
3. Via social media.
Mike Murray, vice president of security intelligence for Lookout, a mobile security company, says social phishing typically references current, newsworthy events. The good news is this type of attack is getting harder to execute as email providers and security companies step up defense. The bad news is fraudsters are turning to platforms with fewer protections.
"For the sophisticated, hip attacker, it's about getting out of email entirely and focusing on social media or mobile channels," says Murray. "We see Facebook messages, SMS, iMessage, Android Hangouts, WhatsApp, and even rudimentary attacks via Snapchat. The attackers do what they always do--adapt to new channels."
As a practical tip, Guy Nizan, founder of security company IntSights Cyber Intelligence, suggests you do research when you get a sketchy message. For instance, if you get a note from an address you don't trust, search the sender's address in spam databases like Spamhaus.org or DNSStuff.com, or check a sender's reputation with SenderScore.org or ReputationAuthority.org.