Cyber criminals aren't in any real rush to think of new phishing scams that can successfully target business - the old ways are working just fine. But that doesn't stop them from creating innovative tactics to fool their victims and keep one step ahead of cyber security. After all, people who claim to be aware of phishing emails and how to stop them are still being tricked because of this exact reason.
Spreading awareness to strengthen the 'human firewall' is one of the best options around in order to stop these phishing scams becoming more successful. So we've put together 3 of latest phishing scams that you need to watch out for.
Don't unlock these malicious PDFs
The SANS Internet Storm Center sent out a warning earlier this year that warned of a phishing campaign that utilises PDF attachments in an attempt to obtain your credentials.
The email contains the subject line "Assessment Document", with a single PDF attachment that appears to be locked in the body of the email. A message read "PDF Secure File UNLOCK to Access File". Once you click on the link to unlock the document, the PDF then opens using the computer's default browser. A dialogue box then appears above the PDF which prompts the user to input their email address and password, hoping that the prey will fall victim.
This campaign is completely untargeted, meaning that they are not going after the most sophisticated or high-profile users - they're targeting anyone in your company who will fall for the scam. People with less knowledge of phishing emails won't think twice about entering their details into such a legitimate looking document. Once the employee has lost their credentials, the door is wide open for date loss and spear-phishing. Read more about this scam here.
Gmail accounts are a hot target
Over the years, Google mail has experienced its fair share of phishing scams. But a new highly effective phishing technique has been targeting Gmail and other services over the past couple of months, gaining huge popularity amongst hackers. The reason for its popularity is that even the most experienced and technically savvy users are falling for the bait.
The attack is carried out when an attacker sends an email to your Gmail account. The email might come from someone you know, with their account likely having been hacked using the same technique. It may also include something that looks like an image of an attachment you recognise from the sender.
You click on the image, expecting Gmail to give you a preview of the attachment. Instead, a new tab opens up and you are prompted by Gmail to sign in again. You glance at the location bar and you see accounts.google.com in there.
Once you complete sign-in, your account has been compromised. Google recommends avoiding this technique by encouraging people "to be careful anytime you receive a message from a site asking for personal information. If you get this type of message, don’t provide the information requested without confirming that the site is legitimate.
If possible, open the site in another window instead of clicking the link in your email. You can report suspicious messages directly to us. Google will never send unsolicited messages asking for your password or other personal information.”This HMRC Tax refund is too good to be true.
A new HM Revenue and Customs phishing email is contributing to the latest phishing scams, with the email telling you that you’re eligible for a tax refund. It contains an official looking HMRC logo and .Gov.UK link, as well as urgent messaging asking the recipient to ‘act now’. The convincing looking email is designed to mislead people into giving their personal data and in order to steal their money.
It's worth noting emails from HMRC will never notify you of a tax rebate, offer you a repayment, require you to disclose personal information or ask you to act quickly.
HMRC Phishing Email
Keep a look out for spelling mistakes and poor grammar, there are a number of other things you can look out for to help spot an email scam. HMRC offer seven signs of spotting a scam include being contacted out of the blue, a deal that’s too good to be true and vague contact details. Make sure you check the email’s authenticity using these tips, if you’re unsure if it’s genuine.