Examples of Phishing Attacks

Examples of phishing attacks you need to be aware of and the safeguards and security solutions you should implement to block all forms of phishing attacks on your business.

Phishing attacks on businesses are occurring at record levels and there are no signs of the attacks slowing. According to the Federal Bureau of Investigation, phishing attacks – including smishing, vishing, whaling, and pharming attacks – top the list of the main causes of complaints about cybercrime to its Internet Crime Complaint Center. These attacks are conducted to gain access to email accounts and the sensitive data they contain, access cloud resources, and infiltrate business networks for more extensive compromises, data theft, and conducting ransomware attacks. Phishing is also used for malware distribution, with some of the most dangerous banking Trojans-cum-malware downloaders such as Emotet and TrickBot almost exclusively delivered via phishing emails.

To counter these threats, businesses need a combination of security solutions but one of the most important steps to take is to make sure employees are aware of the risk of phishing and trained using examples of phishing attacks to highlight the tactics phishers use, and then be given practice at identifying phishing emails to put their training to the test.

Examples of Phishing Attacks

A comprehensive list of examples of phishing attacks and the techniques used to phish for data and distribute malware would run to hundreds of pages. New tactics and lures are constantly being developed, as seen during the pandemic when cybercriminals turned to lures related to COVID-19 infections, cures, advice, vaccines, and updates on cases in the local area to trick people into disclosing their credentials and opening malicious attachments. New examples of phishing attacks should be included in training to keep employees abreast of the latest techniques being used, along with the examples of phishing attacks below, which are used day in and day out in phishing campaigns as they are so effective.

Fake Invoices

Fake invoices are arguably the most common type of phishing scam targeting businesses. The emails claim an invoice is due for services rendered that is overdue. There may even be a threat of legal action if payment is not made quickly. These scams include an attached file or link to a file. The file contain malicious code that, if allowed to run, will install malware.

Fake CVs

HR departments are used to receiving CVs and resumes, including speculative emails when there is no job available. The attached files are often PDFs or Word documents and trick the HR department into installing malware. CV-related scams have been conducted masquerading as LinkedIn notifications, which claim that the victim has been headhunted and asks for their CV. The information in the CV is then used to craft a convincing spear phishing email.

Fake Security Alerts and Unusual Sign-in Attempts

Out of all of these examples of phishing attacks, the fake security alert is one of the most effective. The victim is warned that their account (bank account, Amazon account, PayPal account) has been accessed by a foreign IP address and the user is provided with a link to login and review the activity. The link provided directs them to a webpage that appears to be genuine but is on an attacker-controlled site and will steal login credentials.

PayPal Phishing Scams

PayPal is one of the most impersonated brands in phishing attempts, and with more than 200 million account holders, there is a fair chance that these speculative phishing emails will land in the inbox of someone with a PayPal account. The lures are varied and include notifications about suspicious charges and often the threat of account closure if no action is taken. Links are provided to a spoofed PayPal site that harvests account credentials.

Human Resources Alerts

What better way of attracting the attention of an employee than the HR department emailing about a bonus, pay rise, or promotion? Perhaps a notification about disciplinary action or termination? All are used in phishing attacks, with the email address masked to make it appear that the email has been sent internally. The attached file contains malicious code that downloads malware.

Tax Rebates and Demands

Notifications from the IRS or other tax authorities are commonplace, especially around tax season. These phishing emails include offers of tax rebates or threats of legal action regarding owed tax. These scams may be used for malware delivery, but most commonly they are used to obtain sensitive information that will allow the scammers to file fraudulent tax returns to get tax rebates.

Suspicious Charge Identified

Your bank or credit card company has notified you about a suspicious charge on your account and requires you to log in to verify or block the payment. These can be really concerning as the charges can be considerable. Links direct the victims to fake banking websites that steal login credentials and answers to security questions.

Fake Malware Infection

Malware has been detected on your computer that requires immediate removal. A link for downloading the software is provided in the email, but the executable file offered is actually malware. These scams are often conducted over the telephone, with the caller claiming to be from the victims’ internet service provider.

Google Docs, Dropbox, and SharePoint Phishing Links

One of the ways the phishers bypass email security solutions is by sending links to genuine file-sharing services under the guise of a collaboration request. The emails are short and to the point, asking the recipient to click the link to review the file.  These emails may even be sent from genuine email accounts that have been compromised, with the email address of the victim obtained from the compromised account’s address book. These scams are conducted to distribute malware and to gain access to credentials, such as Google login information.

Triple Protection Against Phishing Attacks from TitanHQ

There is no single method of protecting against phishing attacks that will be 100% effective, 100% of the time. What is needed is a combination of measures that provide overlapping layers of protection. Since phishing can occur via email, the Internet, SMS/instant messaging platforms, over the phone or even in person, steps need to be taken to block all of these methods of attack. TitanHQ can offer triple protection against phishing attacks that occur via all of these attack vectors.

Email Security

SpamTitan Email Security is a powerful email filtering solution for blocking email phishing threats. SpamTitan includes dual anti-virus engines for blocking known malware, sandboxing for identifying previously unknown malware, SPF, DKIM, and DMARC for blocking email impersonation, outbound mail filtering for identifying compromised mailboxes, and performs extensive checks of messages for phishing, including machine learning capability for predicting new attacks.

Web Security

WebTitan DNS Filter protects against phishing attacks via websites. The solution is fed threat intelligence gathered from more than 500 million endpoints worldwide and blocks access to websites used for phishing and malware delivery. WebTitan also analyzes websites in real-time and scores the content based on the likelihood of it being malicious. The solution can also be used to prevent access to risky websites and will block downloads of files commonly used to install malware.

Security Awareness Training and Phishing Simulations

SafeTitan is a comprehensive security awareness training platform with extensive training content covering all forms of phishing. The content is enjoyable, interactive, and gamified to improve knowledge retention, and includes videos, examples of phishing attacks, and quizzes for testing knowledge. The platform includes a phishing simulation platform for conducting and automating fake phishing attacks on employees to test security awareness and identify individuals who require further training, which uses examples of phishing attacks from real attacks on businesses. SafeTitan is the only behavior-driven security awareness training platform that delivers training in real-time in response to mistakes and bad security practices by employees.

For further information on these solutions, to book product demonstrations, or to sign up for a free trial, contact TitanHQ today.