Common phishing scams and how to prevent them

Common phishing scams and how to prevent them

phishing scams banner

I think by now we’ve all been contacted by a Nigerian prince looking for someone to help him move his wealth out of the country in return for a share of his fortune. We all know it’s a scam, but did you know a whopping 30% of you still click on phishing scam links?

Phishing scams in particular are getting so sophisticated these days that most of us will need a magnifying glass just to spot the inconsistencies that give away their fraudulent nature.

In today’s post, we will tell you exactly how to recognize a phishing scam and share some classic examples we’ve encountered.

What are phishing scams, then?

The term ‘phishing’ was coined in 1996 by hackers who were stealing ‘America Online’ (better known as AOL) accounts and passwords. Employing the analogy of angling, scammers used email ‘lures,’ laying out ‘hooks’ to ‘fish’ for passwords and financial data. The letter ‘f’ was often interchanged with ‘ph’ as a nod to the original form of hacking known as phone phreaking: the reverse engineering of various tones used to re-route long distance calls.

While these ‘phreakers’ manipulated tone sequences to obtain free calls, the act itself could be argued to be victimless (Well, except for the phone companies…). This is not the case with phishing attacks. Phishers attempt to trick, steal or socially engineer you into divulging your private information. As businesses put complex security mechanisms in place to protect against unauthorized access, criminals target the weakest element in the system: you.

What types of phishing scams are out there?

There are two main types of phishing scams:

Advanced-fee fraud

An advance-fee scam is a type of fraud that involves promising the victim a significant share of a large sum of money in return for a small up-front payment. If a victim makes the payment, the fraudster will either invent a series of new fees for the victim to keep paying, or will simply disappear.

Traditional phishing scams

Phishing is the attempt to obtain sensitive information such as your username, password and credit card details by pretending to be a trustworthy entity such as Microsoft, Amazon, PayPal or even your bank.

In recent years, many service providers have implemented multi-factor authentication methods that use additional information to verify the user. As a result, phishing kits are steadily getting more advanced as scammers try to find ways to crack the new security measures. For example, in a recent Google report, the search engine giant detailed the results of an investigation into how cybercriminals steal Google accounts. The study found that more than 8 in 10 (82 percent) blackhat phishing tools and almost 3 in 4 (74 percent) keyloggers attempt to collect a user’s IP address and location, while 18 percent of phishing tools gather phone numbers and device information.

While most traditional phishing scams are implemented via email, many phishing attempts happen via social media and even through your work suites such as Dropbox and Google Docs.

cloud storage phishing image

Over the years we’ve seen it all, like that time a Skype scambot tried to lure our CEO into plugging in his credit card details.

Or that other time when we teamed up with Bleeping Computer to watch a ‘tech support’ scammer (dubbed Mr Z by the team) attempt to convince us our virtual machine was infected with ‘trozens’ so we’d buy his fake product.

In fact: Tech support scams are so common we’ve covered them in depth here.

While there are countless different ways to phish, these are the most common phishing scam examples:

Deceptive phishing

Regardless of the delivery method, eg; Skype, email or phone call, deceptive phishing is a scammer impersonating a legitimate company in order to receive something from you, whether that be your personal information for identity theft, your credit card details or for you to feel pressured into buying a product that may or may not exist. The methods criminals are using to make you believe the site you are opening is the real deal are getting increasingly clever, as we’ll show you in our examples later on.

Spear phishing

Are deceptive phishing attacks but rather than attempting to scam an entire population of people, the attacks are targeted. You may receive an email that includes your name, position, company name and work phone number, or a contact request on Skype where you are directly confronted with personal information.

CEO Fraud

CEO fraud phishing scam image

This is a type of spear phishing where the credentials of a business executive are commandeered via a phishing email, hoax call or Skype scam. These credentials are then used to conduct fraudulent activity. Common examples include Google’s Larry Page himself writing you to notify you about the “official” sweepstakes.

Cloud Storage Phishing

Utilising the suites that many people now rely on for work, these phishing scams are conducted via shared documents. In past phishing scams, Google and Dropbox have even unknowingly hosted these scams in the past with SSL certificates, meaning these scams appeared 100% legitimate.

The most recent example making waves was a phishing email that appeared as Google Docs. It urged users to give permission to the app in order to view the document through a genuine Google Sign-in screen. These permissions allowed a malicious third party web app to access your email and contacts, in turn spreading the phishing email to your contacts.

Pharming

Redirects traffic from a legitimate site to a malicious one without your knowledge. Any personal information you enter into this page is going directly to the scammers. These pages are usually reached via links shared in deceptive phishing emails, Skype chats and social media ads.

How advanced-fee phishing attacks work: Chatting with a scammer

This email showed up in my inbox from ‘UBS Investment Bank London’ earlier this week. The sender email, [email protected], piqued my interest.

UBS phishing scam email

I was amused by the many inconsistencies in the email, such as the fact that it made absolutely no sense. I couldn’t help myself. I had to know. What was the deal? Who was Jerry Joe?

So I called him.

The phone number connects to a man in Basingstoke, England, who didn’t know what to say until I asked him why he emailed me. He continued to ask me my name while I questioned him and assured me repeatedly that if I simply gave him my full name he would be able to give me more information about the business adventure we were about to embark on together.

When I couldn’t get past Jerry Joe’s demands for my personal information on the phone, I responded from a different (pseudonymous) email address to learn more.

Within an hour I had received nothing short of an essay.

advanced fee example

A 40% cut of almost £8m? Guaranteed 100% success? Sweet! If I wasn’t already sold on this wonderful opportunity, I had the following attachments to convince me.

Even though I was surprised that the account statement from 2014 looked like it was printed on paper from the 80s, this all seemed incredibly convincing. He went on to say:

scam personal info request

Now assured “this was no child’s play,” and that “nothing stupid will happen in this business either now or later” I was to feel safe providing my brother/partner with:

  • My full legal name
  • My full address
  • My age
  • Occupation
  • Marital status
  • A copy of any of my identity documents, either international passport or drivers license.

I can only imagine if I had provided these things, this ‘SIR’ would have had her identity used online to scam other poor souls. And I can’t imagine this is the only aim of the scam. There is often some ‘small fee’ required to facilitate the transfer of my newly acquired fortune. Whereby I offer my credit card details or send money via Western Union or PayPal.

phishing scams email image

British comedian James Veitch repeatedly converses with scam emailers in a bid to extract some whimsy from the scourge of the internet. In his words, time wasted with him is time that these scammers are not out scamming adults out of their savings. The results are hilarious.

Though it is obvious in the context of this post that the above examples are indeed scams, and while humorous to behold, this is a serious problem. There are still many who are able to be convinced to give up their information through either falling for the initial scam email or being harassed until they are willing to do so. If you receive an email like the one above, simply delete it.

But what about less obvious scam emails?

How to identify a traditional phishing scam

Think about how meticulous you are about your spelling in an email to a customer, your boss or a work colleague. Now imagine the importance a financial organisation, such as your bank, would place on ensuring all brand communication was immaculately presented.

If you receive an email that looks like this, you can be sure it didn’t come from Bank of Scotland:

bank of scotland phishing scam

Though the general layout is quite neat, the incorrect email address, or email spoofing, is your first clue that something isn’t quite right. The random capitalisation in the main header text might not tip you off but the request for you to immediately log on and correct your details should.

There is not a financial organisation on earth that would lead you to a third party site to sign in to your account. If you receive an email like this, go to your online banking directly from your bank’s website in a separate window. Check your secure messages from within internet banking. See any message there about your online account? Didn’t think so.

Scammers take advantage of the fact that we are constantly being bombarded with information at all hours of the day. It is easy to become complacent about what we are clicking on and to whom are we are giving our information.

Keep a clear eye out for the following clues that an email is not what it seems:

phishing scams tips infographic

  1. An email is addressed vaguely with salutations such as ‘Dear Valued Customer’ or ‘Dear Customer.’
  2. The subject uses urgent and/or threatening language such as ‘Account Suspended’ or ‘Unauthorized Login Attempt.’
  3. You are being offered a lot of money for no reason.
  4. The email simply makes no sense.
  5. The message appears to be from a government agency.
  6. An email, phone call or contact request is completely unsolicited and was not initiated by any action on your part.
  7. You are being asked to surrender personal information such as your bank account details, credit card information or are being redirected to login with your internet banking credentials.
  8. Something just doesn’t feel right. If an offer seems too good to be true or you just feel in your gut that something is off, it probably is.

Let’s take a look at a common example close up.

netflix phishing email

netflix phishing scam login window

Think you can spot a scam now? Not so fast.

There’s one more type of phishing scam you need to be very aware of.

Unicode phishing

Now, let’s take a look at the browser bar below. If you were redirected here from an email you wouldn’t see any problem. It looks like Paypal.com. Great! Now, click on the image and look closely.

Punycode paypal phishing scam example

See the umlaut and tilde above the ‘a’s. This is a scam site that I was redirected to via a link in an email. It’s a common method that our lab team is increasingly seeing to trick users to believe they are accessing a legitimate site. In this case, phishers are exploiting the fact that unicode incorporates many writing systems that each have different codes for the same letter. Using punycode, scammers can register domain names that look identical to a real site.

It is because of legitimate looking login pages like the ones above and altered URL’s like this one that cause people to be so easily caught out.

So how can you protect yourself?

How to prevent phishing scams

Though scams are getting more sophisticated all the time, there are easy steps you can take to prevent phishing attacks.

  1. DON’T click on any links in emails claiming to be from your bank or any other trusted organisation. Especially if it asks you to verify or update your personal details. Delete these immediately. If you’re in doubt, manually type in the company’s address into the browser and access your account that way.
  2. DO an internet search of specific names and phrases in an email you are unsure about. Many scams can be identified this way as other victims post their stories on online forums.
  3. LOOK for https: in any website where you are asked to provide personal details. SSL certificates are used to encrypt the transmitted information to secure identities and financial information over the web. If you don’t see HTTPS in your browser search bar, close it and manually search for the secure address. Always pay very close attention to what is written in the browser search bar. Check for inconsistencies such as symbols that shouldn’t be there and scrambled URLs.
  4. NEVER provide personal information in an unsolicited phone call. Even if you believe the person calling you is legitimately from your bank, call your bank directly on the number listed on their website to be sure. They will confirm if you were contacted and why. Never return a call on a phone number given to you by the caller directly.
  5. ALWAYS report a scam to the Anti-Phishing Work Group to ensure that others who are affected by the same scam can find out about it online.

As you can see, some people will try anything to scam you out of your hard-earned money, and the lines are always being blurred between phishing for information and scamming users for financial gain. But never fear. You have all the tools you could possibly need to spot a phishing attack a mile off! All it takes is clear eyes and a few second’s consideration to avoid infection. Now that you know what to look for, you can even help someone else to do the same!

Have a great (scam-free) day!

We’ve shown you ours, now show us yours. What’s the craziest scam you’ve ever encountered? What did you do about it? Tell us in the comments.

  • Tempus

    I have been lucky so far not to fall for any scams, even though I have received a lot of emails from whatsapp a social platform that I don’t use, + notifications from UPS and FedEx and other carriers, stating that something is wrong with a delivery and I can receive the packet if I just follow a link, to fill out some basis personal informations ….of course. And I have been, from time to time, plagued by the very classic Microsoft support scam, where a extremely persistent Indian guy called ” George ” trying to convince me that a virus has infected my system. Thank you for a great blog post, and a useful link to APWG. =)
    May I suggest the youtube channel called ” The PC Security Channel “, because he has a classic Phishing email example. The uploaded video is called : ” Fake Outlook Upgrade Emails | Phishing Alert”

    • Thanks for sharing your experience Tempus. And glad to hear you’re savvy enough not to fall for them. ;) Surely some of our examples were pretty obvious, but our Lab team is coming across more and more sophisticated scams every day.

      Nice tip on the channel. Our Emsisoft channel is actually subscribed to it already, as we agree that there are very useful videos to check out.

      Keep the suggestions coming!

  • Azure

    A few weeks ago I received two emails from “Apple”.The email said my account was used to buy something from the App Store (Which I don’t see how cause my account isn’t linked to my credit cards or any form of payment).

    Decided to investigate a little. So, I copy the links giving into an online unshortening service (They seem to like using link shorteners). Posted the URL at Virustotal, and among the ones the reported the URL as malicious was Emsisoft (Apple should let you guys develop a security software for IPhones).
    Even if the link was reported as “clean” I still wouldn’t log-in from an Email that was send without my input. I prefer to go directly to the website on my laptop, and check my account history then.

    I already reported the emails and links to Apple. For now, they seemed to have giving up trying to trick me or Apple dealt with them.

    Btw, adding to the ‘Look for HTTPS’ segment, it might be a good idea to check the certificate of the site. Cause I highly doubt companies like Google, Apple or Microsoft with their millions of dollars would bother using a Let’s Encrypt certificate. And apparently that’s how some scammers are pretending to be legitimate.

    • Hi Azure, thanks for sharing your Apple example with us, and glad to hear we had already flagged it as malicious :)

      Great thought on adding a comment regarding the certificate, we’ll make sure to add that into the article!

  • TripleRLtd

    Good stuff, and as tech support for many (and one phishing attempt this morning) I will forward this to many.

    That said, you raise an excellent point here:

    “Think about how meticulous you are about your spelling in an email to a customer, your boss or a work colleague. Now imagine the importance a financial organisation, such as your bank, would place on ensuring all brand communication was immaculately presented…”

    On that note I have to say that the word you wanted above that is “piqued”, and not peaked. Just sayin’.)

    • Glad you found it useful enough to share it with others; we really appreciate it.
      If you feel we have left anything out, let us know and we’ll incorporate it into the article to make it as complete as possible.

      Oh and thanks for pointing out our slip up. Fixed it ;)

  • LMPR

    I had my share of fraudsters too. All ranging from non-existent winning, money transfer, bank scams, suspicious attachments and all that kind of crap. Once even I had that phone call scam from “Bank support” asking my passwords and it was bank which I DON’T have account on. How hilarious. I told him straight that bank never calls to customer ask passwords and if you continue this call I will call to police after this call. He hung up immediately after I said that. What a dumb ass.

  • Chuck C.

    Thank you very much for your informative (as always) article.
    I did need to share about a highly sophisticated phishing scam that I was subjected to (and came very close to succumbing to!!) —
    For many, many years, I have really appreciated being able to make a high percentage of my online purchases via PayPal. One day, I received an email that VERY apparently was sent to me by PayPal:: The email was headed with the ACTUAL PayPal Logo & the language in the email was very professionally worded. The email simply informed me that PayPal was needing to (.. & I apologize for not recalling their precise term ..but it was something like…) confirm that I wanted to retain my account with them; and in the middle of the email was a graphical button that would direct me to the (supposed) PayPal website to confirm. Because everything in the email appeared very much on the up & up, I am embarrassed to admit that I came very close to clicking that button! ! And then I thought, would this not be the very approach that a sheister(Sp?) would take? So, instead of responding to the email, I simply logged into my PayPal account (protected with 2FA), noticing that there was zero notifications waiting for me; And After that, I visited PayPal’s Fraud Department, which requested that, if I had received any email that appeared to be falsely from PayPal, if I could kindly forward that email to the PayPal Fraud Department — which I did. In response, PayPal sent me a very glowing “thank-you” email informing me that their staff had investigated & confirmed that I had received a phishing email. (And, by the way, they seemed to suggest that PayPal is very commonly a target of phishing!) My guess is that in the article you could have been even More emphatic that a legitimate corporate email will simply never include a link to access their site .. OR at the VERY Least, Never, _NEVER_ access a company site via an email link: You can Always get to that site by entering a _Confirmed_ URL into your browser’s address bar.
    Thanks again, Chuck

    • Glad you found the article helpful Chuck. And well done not falling for the Paypal phishing scam: you acted absolutely by the book! As you mentioned, Paypal has long been one of the main companies that are being used by phishing scammers to trick you into clicking on a link. But ebay, amazon and others are also very common.

      Excellent suggestion to stress even more to access a site directly rather than clicking a link. We’ll add that to our suggestions that, when in doubt, type in the site directly into the browser and log in.

      Have a great day!

  • Andre Foulon

    A while ago I received a call, supposedly from Microsoft. The gentleman told me my computer was generating spam e-mails and I would be facing legal action unless I gave him remote access to it. A friend of mine had been caught by one of these, so I proceeded to ask which of my five computers was the culprit. The gentleman asked what kind those were and I told him there was a legacy 486 laptop running on Windows 95 that I used exclusively to play arcade games, a MacBook Pro running OSX, a desktop running Linux, my iPad 2 and finally an older desktop running Windows 7. He said it would likely be the last of the list. So I said I needed to crank this one up, which would take a while as it was pretty cluttered with bloatware. I put the phone down and continued washing my dishes.
    After about 5 minutes I returned and asked if he still was on the line. He was. I told him thanks for his patience as the Australian Federal Police now had had plenty of time to locate his whereabouts and seeing these were in India (going by the accent) Interpol would be kicking his door down round about now. I never had anyone hang up on me so quickly and haven’t received a software “support” call since.

    • Great story, thank you for sharing Andre. We have covered Microsoft support scams in a previous post (http://blog.emsisoft.com/2016/11/17/microsoft-calling-mind-the-tech-support-scammer/), they are still very active and very much a threat. But your experience also highlights the importance of awareness about these types of scams.

      This is why we are writing these articles. The more that is known about their tactics, the better prepared you will be to spot if once it happens to you (and let’s face it, it will happen to all of us).