Phishing Subscriptions, Investments, and Invoices: How to Catch a Phish

Hackers and scammers are getting more and more sophisticated with their phishing techniques. Texting scams have risen tremendously, with 45% of organizations suffering a mobile compromise in 2022 alone, according to Verizon’s 2022 Mobile Threat Index. The FCC has even issued an advisory on Robotext phishing attacks. One of the best ways to protect yourself and your organization from phishing is to stay informed about the tactics cyber criminals are using.

What is Phishing?

Phishing is a type of social engineering attack in which a bad actor impersonates a legitimate individual or organization in order to trick the victim into divulging sensitive information or downloading malware. It can be done through any platform, from email and text to social media and search engines. Hackers may impersonate your company’s IT department in order to gain remote access to your computer. Scammers may create a fake version of your banking website in order to steal your login credentials. Or a criminal can hack one of your friends’ social media accounts in order to convince you to join an investment scam. The following are recent, real-world phishing scams that can be studied and learned from in order to identify future attacks that may target your organization.

BazarCall

The Ryuk gang has developed a spear phishing technique known as “BazarCall.” It works in four stages.

A phishing email claiming the victim has signed up for automatic payments for a subscription service, which includes a phone number to call to cancel the service
If the victim calls this number, they are pressured to give the call center rep remote desktop control, as part of the “cancellation” process
While the call center rep distracts the victim, an experienced hacker uses the remote desktop control to entrench themselves into the victims’ network
With access to the victims’ network, the hacker uses malware to further delve into, steal, and exploit the victim organization’s data

BazarCall is a type of reverse phishing that is likely to become more common. The first red flag is the phone number in the email. Always go to an organization’s official website and call the number you find there, rather than trusting the number sent to you by an unexpected email. The second red flag is the request for remote access. Never allow anyone outside your own IT department to remotely access your desktop; doing so is equivalent to handing them a fully unlocked device.

Subscription Investing Scam

One of the largest-scale investment scams in history was recently uncovered in Europe. The scam targeted individuals in nine different countries and involved more than 10,000 fake investment sites. The scam led victims through a seemingly legitimate pipeline—from a fake celebrity endorsement on social media, to a fake website, to a fake call center, and eventually, to a fake investment dashboard showing their money’s “growth.” While the scam was incredibly sophisticated, the biggest red flag was its initial promise. The scammers claimed they could nearly triple victims’ money in just three days. It’s important to meet any claim of “quick cash” or “astronomical returns” with skepticism, even if it appears to be coming from an influencer, celebrity, or other contact you trust.

Paypal Phishing Invoices

A tell-tale sign of a phishing email is that it comes from an incorrect domain—usually close to the domain name of the company the hackers are impersonating, but not perfect. A startlingly effective technique hackers are now using with Paypal involves taking advantage of its invoicing system. Hackers can send an illegitimate invoice to victims via Paypal. This invoice will likely show in the victims’ email inbox as completely legitimate, since it is sent by Paypal directly, not a spoofed address. If the victim calls the hackers’ number included in this email to dispute or pay the invoice, that gives the hackers their phone number, which can be used in later scams, and potentially even the victims’ financial info.

While it can be startling to receive an unexpected invoice, it’s important to look carefully at the source of the invoice. If you know you did not purchase anything from the company requesting the invoice, it may be scammers. If it is a legitimate company name on the invoice, look up the company’s number independently and call their official line to clear up the claim.

Security Awareness Training on Phishing Techniques

It can take a good bit of practice to learn to consistently avoid phishing scams. Hackers know exactly how to prey on their victims’ fears and anxieties, and it’s easy to make a rash decision when you receive a startling or unexpected message. We recommend organizations implement regular, company-wide Security Awareness Trainings in order to educate staff on phishing techniques. It’s important to have a Plan B too; ask your Digital Agent about managed cybersecurity and disaster recovery solutions.