The Phishing Tactic Cybercriminals Are Using To Trick You

Fishing hook through login credentials representing phishing scams.

Written by: Jay H.

Phishing campaigns are fraudulent attempts to gain sensitive information such as passwords, usernames, and credit card information from victims. These scam attempts are a lucrative business for cybercriminals and the most popular way to distribute malware. In fact, phishing attempts impacted 75 percent of organizations in 2020.

Given this, businesses recognize the importance of security awareness training to keep staff up to date on current tactics. However, a recent report from software vendor Webroot highlights the sophistication of cybercriminals’ new phishing tactics and demonstrates that cybersecurity awareness training must be an ongoing effort.

Phishing and COVID-19

COVID-19 has dominated headlights for over a year, so it’s no surprise attackers are incorporating the topic into their schemes. In fact, the pandemic has been lucrative for criminals looking to capitalize on peoples’ uncertainties and fears. Most of the malicious emails Webroot analyzed used COVID-related phishing lures. Common topics included guidelines on protecting yourself from COVID-19, details on pandemic stimulus money, and vaccines while impersonating reputable organizations.

Most of the malicious spam urged victims to download a Microsoft Word document. Once downloaded and opened, Word would ask the user to ‘Enable Content,’ allowing macros. Essentially, this would enable the execution of malware such as Emotet.

“Just one click can be the catalyst that starts the infection process, eventually leading to ransomware or other forms of malware,” said Brianna Butler, senior technical project manager at Webroot. “If the user doesn’t open the Word document or doesn’t enable macros, the malicious spam poses no threat. This is why it’s so important for users to be educated on the latest trends in phishing tactics.”

Phishing URLs Using HTTPS

Another emerging trend amongst phishing campaigns is the use of HTTPS versus HTTP.

HTTPS and HTTP are communication protocols used to send and receive webpages on the Internet and are displayed in URLs. However, only HTTPS is secure for encrypting information sent and received. Users are learning to expect websites to use HTTPS to protect communications and are more likely to trust a website using this protocol.

Unfortunately, attackers are well aware of this and increasingly use the HTTPS protocol to lull victims into a fall sense of security. Although switching to HTTPS requires more effort and expense on the attackers’ parts, it is worth it since victims trust HTTPS. Throughout 2020, 32 percent of phishing attempts used HTTPS. However, in December alone, over half (54%) of phishing sites used HTTPS.

Chart showing HTTP/S phishing attacks by month.

Image: Webroot

While we can expect most phishing attempts to use HTTPS, the numbers vary by the targeted industry. Attackers primarily use HTTPS in phishing campaigns spoofing cryptocurrency exchanges (70% of the time), Internet service providers (65%), and gaming (62%). Meanwhile, other industries like delivery services and social media saw rates just over 30 percent. Education was the lowest industry at 26 percent.

Graph showing HTTP/S phishing sites by target industry.

Image: Webroot

Lessons Learned

Attackers are constantly evolving their tactics to trick unsuspecting users into handing over sensitive information. Because of this, organizations and individuals must stay current with cybercriminals’ tactics and should implement the following suggestions:

Protected by Copyscape

Comments are closed.