Kaspersky Lab’s latest report on phishing found that attacks have jumped 16% in the second quarter of 2019, compared to the same quarter in 2018.
Cyber criminals are continuing to take advantage of the trust between individuals and companies by using fake registration, subscription and feedback forms to get victims to reveal their personal details.
Looking at the stats
Kaspersky detected 129.9 million phishing redirects in the second quarter of this year; this accounted for part of the global torrent of spam email, which comprised 57.6% of all email traffic. The most targeted organisations were banks (30.7%), payment systems (20.1%), global Internet portals (18%), social networks (9%) and online stores (7.1%).
Greece came top for the proportion of Kaspersky users targeted by phishing (26.2%), followed by Venezuela (25.7%), Brazil (20.9%) and Australia (17.7%).
The source of spam emails was topped by China (23.7%), followed by the US (13.8%), Russia (4.8%), Brazil (4.6%) and France (3.1%).
Sources of spam by country, via Kaspersky
Maria Vergelis, a security researcher at Kaspersky, notes that cyber criminals are constantly changing their tactics and looking for new ways to deliver spam and launch phishing attacks:
“For example, they’re trying to exploit some popular legitimate services (such as online calendars), or use contact forms and registration services on sites. Such tricks allow them to send messages with legitimate headers and increase delivery rate. Of course, the main task of MSPs [managed service providers] and vendors now is to monitor such trends to react on time and improve their detection products.”
Top exploits in Q2 2019
1.Spam through Cloud-based storage services
Cyber criminals are using Cloud-based storage services such as Google Drive to mask their content and make malicious links appear trustworthy. Meanwhile, Google Calendar is being used to send meeting invitations containing malicious links, and Google Forms is being used to create bogus forms or surveys to collect victims’ personal data.
2. Baiting victims through sporting events, TV shows and films
The 2019 UEFA Europa League Final, the final season of Game of Thrones and the release of Avengers: Endgame were just some of the major entertainment events to be exploited by crooks.
Examples include invitations to watch sports broadcasts, and filling in a form to get codes for a Game of Thrones mobile game. The scams involved asking the user to take a survey, provide details, subscribe to a service, install adware and so on, which are not only intrusive, they potentially hand over personal data and credit card information to the scammers. And, in the end, you don’t even get to watch the Avengers.
3. Tax refunds
In many countries, the second quarter of the year is the deadline for submitting tax returns.
It can be a stressful, hectic time, which cyber criminals capitalise on by sending phishing emails that say the recipient is entitled to a tax refund, but only if they act urgently.
In examples detected by Kaspersky, the aim of such emails was to acquire personal information including bank card details and CVV codes.
4. Tourist phishing
People are increasingly falling victim to holiday and travel scams.
Kaspersky recorded a high number of phishing attacks targeting tourists and jet-setters with promises of cheap accommodation and flights. Links in phishing emails purportedly from organisations such as Airbnb, Expedia and Booking.com directed victims to fake websites with forms where they could enter their personal details.
Example of mirror image website used in phishing scams, via Kaspersky
5. Email services
Cyber criminals are imitating email services to steal login credentials from their victims.
These phishing emails are designed to look authentic, often including the email service’s logo and an email address almost identical to the service’s address. The emails usually say there is a problem with the user’s account, with instructions to click a link or open an attachment, and a threat of what will happen should the user fail to take action.
How to spot and avoid a scam
Our top tips for spotting and avoiding a scam:
- Always check the link address and sender’s email before clicking links in any emails.
- Look out for spelling and grammar mistakes.
- Never download or open unsolicited email attachments from unfamiliar addresses.
- Be suspicious of emails that create a sense of urgency and ask you to verify personal information.
Protect your organisation from phishing emails
Remember these tips and look out for other clues so that you can spot a suspicious email before it’s too late.
Organisations that want to make their employees more vigilant should consider our Phishing and Ransomware – Human patch e-learning course.
This online training course is the perfect introduction to phishing, providing a crash course in email-based threats. In just a few minutes, you and your staff will understand what phishing is, how it works and what to look out for.