Phishing is one of the most common types of cybercrime. Falling victim to a phishing attack can have disastrous consequences—from debilitating ransomware to the theft of large sums of money. While there are some telltale warning signs for phishing scams, cybercriminals are getting better and better at disguising themselves as legitimate individuals and corporations. In addition to training your staff on how to spot a phishing attempt, you should be aware of some of the most common scams happening in 2022.
QuickBooks Fake Account Verification
Hackers often target financial institutions, and they’ve recently gotten very good at mimicking legitimate emails from Intuit, which owns QuickBooks. A number of Intuit customers have received a professional-looking email claiming that Intuit has “put a temporary hold” on their accounts. The email then prompted users to verify their account in order to reactivate it. Unfortunately, this email came from cybercriminals, not Intuit. Clicking on the “Complete Verification” button on this fraudulent email either led users to a fake site designed to steal their private information or resulted in a malicious file being downloaded to their computer.
There was no hold on these customers’ accounts, but scaring users into making a rash decision is a hallmark phishing tactic. When Intuit was made aware of the fraudulent emails, they released a statement alerting customers to the phishing attack. They also recommended that users who had clicked on the “Complete Verification” button or any other link perform the following emergency measures: delete the download immediately, run an anti-malware scan on your system, and change your passwords.
Crypto Cons
Deepfake technology—which allows people to fabricate increasingly realistic audio and video of real people—might be the ultimate form of social engineering, and hackers are starting to incorporate deepfakes into their scams. Scammers set up a fake cryptocurrency platform called “BitVex” and created a deepfaked video of Elon Musk in which he promoted the BitVex platform. While it stretches the definition of a phishing attack, the group responsible did hack into YouTube channels to share the video in an attempt to capitalize on the legitimacy those channels had generated with their followers. The deepfake isn’t perfect—there is an uncanny quality to the video and the faked audio sounds quite different from Musk’s natural speech. Another tell that this was a scam is the fact that the YouTube channels hacked to promote BitVex generally had nothing to do with cryptocurrency.
SMS Scams Are Getting Worse
It’s not just you—we are all getting inundated with spam texts these days, and it will likely only get worse. More than 320,000 Americans were targeted by SMS phishing scams last year, which resulted in $44 billion in losses. Many SMS scams have the same red flags as phishing emails: misspellings, fake domains, and false claims of urgency. But some are far more advanced.
SIM swapping is less common than sending a malicious link via text, but it can cause a major security breach for individuals and companies. If a hacker knows enough of your personal information, they might be able to call your mobile carrier, successfully impersonate you, and request that your phone number be transferred to the hacker’s SIM. That hacker can now send and receive calls and texts as you, which opens all of your contacts up to potential phishing attacks. It also allows the hacker to receive two-factor authentication texts for all of your accounts. While SIM swapping is relatively rare compared to other SMS scams, it’s important to be aware and limit how much of your personal information you share online.
Tax Season Thieves
As we’ve seen before, hackers love to prey on panic—and what’s more panic-inducing than a message from the IRS? Scammers created a fake “overdue tax bill” email with a javascript-based “invoice” attachment. The attachment very cleverly tricked anyone opening it into logging into a fake Microsoft 365 portal. Hackers used the fake portal to steal victims’ Microsoft 365 logins, which gave them access to victims’ contacts and to many of the accounts linked to that email.
Stop Falling for Phishing: Corporate Security Awareness Training
Phishing scams are getting more and more sophisticated, and it can be difficult to stay ahead of them. Your best, first line of defense is Security Awareness Training—for yourself and for your company. This training will give you the tools to spot scams like these before you make a click that you will regret. Contact your Digital Agent to ask about Security Awareness Training and learn what you can do to protect yourself and your business from scammers.
Kate Lewis
Technical Writer & Content Strategist
Digital Agent
Follow Us:
