Phishing scams are a prominent form of social engineering, which are designed to trick you into sharing private information, or to convince you to click on links or attachments that subsequently lead to malware or fraudulent sites.
How phishing scams work
At the most basic level, phishing can simply be comprised of text and a URL, which means attacks can target anywhere you might receive digital communication, such as email, SMS (referred to as smishing) or social media notifications. This makes phishing an ever-present risk, and one of the most prominent forms of cyber attack.
And in a bid to make them as enticing as possible, criminals behind phishing attacks tend to take advantage of changing habits and preferences. For example, a global news event such as the invasion of Ukraine resulted in over 2,000 blocked phishing attempts in March, 2022 (source: F‑Secure Threat Intelligence).
Phishing isn’t getting any easier to spot
Sadly, despite their increase, phishing scams aren’t getting any easier to spot. Historically, some phishing attempts could be identified by things like poor grammar, which was often comedically bad. But advances in AI technology and generative large language models (LLMs) such as ChatGPT have made it easier than ever for scammers to appear legitimate.
You have probably seen some phishing email or SMS where you could instantly detect the attack, because of a grammatical or spelling mistake,
explains Abdullah-Al Mazed, Senior Technical Product Manager at F‑Secure. Sadly, thanks to developments in the world of large language models (LLMs), those days will be a thing of the past. ChatGPT demonstrates how far natural language processing (NLP) has already gone, and how easy it is to write a very convincing mail or blog post with a simple prompt and a handful of keywords.
Educating yourself about phishing scams
So, as phishing threats continue to evolve, it’s never been more important to use internet security, which will help keep you protected from such threats. But educating yourself is also vital.
In this post we identify five major phishing threats in 2023, with information on how to identify and ultimately avoid them.
1. Social network account phishing
Based on F‑Secure’s Threat Intelligence data, Facebook, WhatsApp, Instagram, and LinkedIn were the top social media platforms targeted with phishing scams in 2022. And criminals targeting these platforms were trying to obtain the likes of social media credentials, personal information and financial data.
How to spot the attack: They often come via friend request and messages from unknown profiles promoting links to web pages.
How to avoid it: Run safe browsing protection. Don’t accept friend requests from unknown profiles. Set an alternative email or phone number for retrieving your account. And use unique passwords and two-factor authentication.
2. Phishing in the name of Netflix
Netflix has become the app of choice for TV and movie streamers, with around 233 million global subscribers (source: Statista). Courtesy of this popularity, Netflix was one of the brands targeted most via email phishing in 2022, with a 50% increase in Netflix scams between January and December 2022 (source: Monthly spam volume based on F‑Secure’s spam trap
).
How to spot the attack: These emails notified recipients that their automatic payment had been declined. To fix it, the victims were lured into update billing information through a link which led to a fake login page. And once the victim submitted their login details, attackers were able to take over the account.
How to avoid it: Don’t open any suspicious links warning of declined payments; instead, log in to your account and check your payment status there.
3. Contemporary topics: Ukraine
Phishing scams often utilize contemporary topics, as it’s easier to get attention when people are already interested in the subject. Therefore, the war in Ukraine was a major topic used in phishing in 2022. Some of these campaigns preyed on people’s will to help. Others on more self-centred motivation.
How to spot the attack: This kind of phishing was spread via email in the name of charity organizations such as the Red Cross. And victims were lured to donate
cryptocurrency. Elsewhere, campaigns also lured victims to contact hot Ukrainian girls
looking for love. Believing they were conversing with Ukrainian women, the victims needed to create a paid profile on a dating platform, with some being asked to pay more to keep on chatting, or to unlock more photos.
How to avoid it: Any communications requesting cryptocurrency payments are a red flag. Trust only well-known charities. Use payment information stated only on their website. And remember: people genuinely looking for love don’t ask for cryptocurrency before talking to you.
4. Smishing “Hi Mum” scams
Cyber criminals will use any emotional leverage they can, and Hi Mum
scams are a particularly unpleasant reminder of this. Hi Mum
scams come in the form of smishing (phishing involving phone messaging) and tend to begin with a WhatsApp message from an unknown phone number, sent by a scammer, and starting with the words Hi Mum
or Hi Dad
.
How to spot the attack: The scammer tells the recipient that the child’s phone has broken and that the one they are messaging from is their new phone number. The attacker then asks for money to pay an urgent bill or to buy a new phone; they say they need money because they can’t access their bank without the old phone; or some other explanation.
How to avoid it: It can be difficult for parents to think rationally when their child needs help. Which is exactly what scammers are banking on (in their case, literally). If you receive a text such as this, call the old number or send your loved one a message on social media to check if it’s real. And never send money to people contacting you from unknown numbers.
5. Gaming-related phishing scams
The rise in popularity of free-to-play (F2P) games such as Fortnite — which make their money through in-game purchases of skins, weapons and so on — has led to a marked increase in the number of scams targeting gamers. These can include voting scams
or free offers. And, based on F‑Secure data, Steam and Roblox were the top gaming platforms targeted by cyber criminals, making up 66% of all targeted gaming platforms (source: F‑Secure Threat Intelligence).
How to spot the attack: In 2022, attackers started using a technique called voting scams
to steal Steam accounts. The attack starts in a Steam or a Discord channel, with a message appearing to be from a friend, asking the victim to follow a link and vote for their team. The link directs to a phishing page. Once they click on it, their Steam account goes to the attacker.
In scams targeting Roblox users, attackers used YouTube videos to entice kids to click on a link to get free Robux (in-game currency), with the link leading viewers to phishing sites where criminals could harvest login information. Phishers also hijacked Roblox accounts with the same technique, using fake User Ads (the Roblox in-game messaging system).
How to avoid it: Run safe browsing protection. Don’t enter your login details outside a particular gaming service. Avoid free stuff as a rule, as it is often just a trick. And educate kids about phishing and scams by sharing this post with them.