The latest phishing trends

The link between fraudulent email spamming and the sedentary pastime of fishing initially seems tenuous.

However, phishing is actually a fitting name for unsolicited messages claiming to be from a reputable company.

Like its phonetic namesake, phishing involves baiting a hook and then hoping someone – anyone – bites.

And unfortunately, the odds are always in the spammers favour, because they distribute vast quantities of messages on a daily basis.

Last December, over one million messages containing the Emotet Trojan were distributed in a single day – and that’s just one of innumerable scams circulating round cyberspace.

Accurate statistics are hard to find, since ISPs tend to block messages automatically. Plus, many victims will be too embarrassed to inform the authorities and end up in crime figures.

In 2017 alone, Kaspersky Lab’s anti-phishing system was triggered almost 250 million times – and they’re only one of many anti-malware brands battling this global scourge.

Worst of all, there’s compelling evidence that phishing levels are rapidly increasing – meaning we’re more at risk than ever before.

Something phishy going on

Given this worrying situation, it’s vitally important to be aware of the latest phishing trends:

• Attacks are increasingly targeting Software as a Service providers. Dropbox has replaced PayPal as the scammers’ platform of choice, while Netflix is regularly impersonated as well.

  The five most common themes for phishing emails relate to package deliveries, billing and invoicing, message delivery notifications, document scans or some type of enforcement.

  Unexpected or unusual messages from parcel delivery firms, financial institutions, IT brands and Government agencies (in particular HMRC) should be approached suspiciously.

• HTTPS sites are being used to increase legitimacy. Phishing trends are constantly evolving in response to growing public awareness, as old tricks cease to be effective.

  Our growing aversion to insecure websites has driven scammers to register secure platforms with HTTPS prefixes, in an attempt to convey authenticity.

  Half of phishing sites now use HTTPS. Beware any sites registered in non-English-speaking countries, particularly ones ending in .cn (China) or .ru (Russia) suffixes.

• Urgency helps to disarm recipients. Given some time to ruminate and reflect, most of us would eventually conclude that a phishing email was fraudulent.

  Consequently, messages are delivered with High Importance flags and URGENT in the subject bar, encouraging us to act without pausing to consider what’s being asked of us.

  Always re-read them, looking for warning signs like “Dear Customer” instead of “Dear Mr Smith”. Poor grammar is another giveaway, since most scams originate abroad.

• Messaging sites are becoming popular targets. Phishing originated via email in the absence of other communication channels, but again, consumer tastes are evolving.

  Phishing has spread to Facebook Messenger and WhatsApp (which is also owned by Facebook), while collaborative working tools including Slack and Teams are vulnerable, too.

  It’s easy to end up on an illicit distribution list for these platforms, which lack the spam filters and security measures developed by email hosts and internet service providers.

• Blackmail is on the rise. A particularly nasty form of phishing involves emails claiming to have compromising material – usually webcam footage of the recipient watching porn.

  Unless a ransom is paid using an untraceable cryptocurrency like Bitcoin, the message claims compromising video footage will be distributed to the victim’s friends and contacts.

  Although an episode of Charlie Brooker’s Black Mirror series featured this scenario, webcam hijackings are extremely rare. Hold your nerve and mark the message as Junk or Spam.

Tips for avoiding the latest phishing trends

If you receive an unsolicited email from a company you’ve recently had dealings with, your spider senses should tingle if there’s any suggested problem regarding your account or order.

Legitimate brands won’t ask you to supply account data in an email, or enter your full credit card password into a hyperlink.

Never click on a hyperlink unless you’re certain it’s genuine – log into your account through a web browser, or phone the company to check if the message is authentic.

Finally, try copying and pasting the email’s subject line into Google, to see whether other people have reported this as part of a wider scam.