Phishing tricks – the Top Ten Treacheries of 2020

By Paul Ducklin

Sophos Phish Threat, in its own words, is a phishing attack simulator – it lets your IT department send realistic-looking fake phishes to your own staff so that if they do slip up, and click through…

…it’s not the crooks on the other end.

The crooks are testing you all the time, so you might as well test yourself and get one step ahead.

(Don’t panic – this isn’t a product infomercial, just some intriguing statistics that have emerged from users of the product so far this year.)

You can knit your own scam templates to construct your own fake phishes, but the product includes an extensive collection of customizable templates of its own that we update regularly.

The idea is to to track the look and feel of real-world scams of all types, all the way from Scary Warnings of Imminent Doom to low-key messages saying little more than Please see the attached file.

Read more at https://nakedsecurity.sophos.com/2020/09/04/phishing-tricks-the-top-ten-treacheries-of-2020/

Vishing scams use Amazon and Prime as lures – don’t get caught!

By Paul Ducklin

Well-known US cybercrime journalist Brian Krebs recently published a warning about vishing attacks against business users.

The FBI promptly followed up on Krebs’s article with a warning of its own, dramatically entitled Cyber criminals take advantage of increased telework through vishing campaign.

So, what is vishing?

And how does it differ from phishing, something that most of us see far to much of?

The V in vishing stands for voice, and it’s a way of referring to scams that arrive by telephone in the form of voice calls, rather than as electronic messages.

Of course, many of us use voicemail systems that automatically answer and record messages when we aren’t able or willing to take a call in person, and many modern voicemail systems can be programmed to package up their recordings and deliver them as email attachments or as web links.

So the boundary between voice calls and electronic messages is rather blurred these days.

Nevertheless, many of still routinely pick up calls in person when we can – especially those of us who run a business, or who have family members we’re supporting through coronavirus lockdown or who aren’t well and might need urgent help.

We know several people who keep a landline especially as a contact point for family and friends.

They give out their landline number sparingly on what you might call a “need-to-know” basis, and use their mobile number – which is comparatively easy to change if needed, and easy to monitor and filter using a suitable app – for day-to-day purposes where giving out a working number can’t easily be avoided.

As you can imagine, however, the crooks only need to uncover your phone number once, perhaps via a data breach, and they can call it forever, especially if it’s a landline that you’re keeping because people who are important to you know it and rely on it.

Read more at https://nakedsecurity.sophos.com/2020/09/03/vishing-scams-use-amazon-and-prime-as-lures-dont-get-caught/

Phishing scam uses Sharepoint and One Note to go after passwords

By Paul Ducklin

Here’s a phishing email we received recently that ticks all the cybercriminal trick-to-click boxes.

From BEC, through cloud storage, via an innocent-sounding One Note document, and right into harm’s way.

Instead of simply spamming out a clickable link to as many people as possible, the crooks used more labyrinthine techniques, presumably in the hope of avoiding being just one more “unexpected email that goes directly to an unlikely login page” scam.

Ironically, while mainstream websites concentrate on what they call frictionlessness, aiming to get you from A to B as clicklessly as possible, and some cybercrooks deliberately add extra complexity into their phishing campaigns.

The idea is to require a few extra steps, taking you on a more roundabout journey before you arrive at a website that demands your password, so that you don’t leap directly and suspiciously from an email link to a login page.

Here’s the phish unraveled so you can see how it works.

Read more at https://nakedsecurity.sophos.com/2020/09/02/phishing-scam-uses-sharepoint-and-one-note-to-go-after-passwords/