Phishing attacks affect individuals and organizations spread across the globe; however, they are particularly prevalent in the United States. According to the Federal Bureau of Investigation (FBI), phishing is the most common type of cybercrime in 2020 and the statistics available can back this up. In 2016, there were 114,702 phishing incidents but in 2020, this number had almost doubled to 241,324. In 2020, 74% of organizations in the United States reported a successful phishing attack, which is 30% higher than the global average. This number also shows a drastic increase up 14% since 2019.
Threat actors use a few methods to target individuals and organizations with phishing attempts, the primary route is via email, with 96% of attempts using the method. The other 4% of methods are taken up with 3% of incidents using malicious websites and just 1% using phones.
Phishing attacks are not just about stealing individuals’ or organizations’ credentials or sensitive data, they are also used by threat actors for financial gain. The FBI’s Crime Complaint Center reported that in one year $57 million was lost to phishing attacks. Many phishing attacks contain links or attachments to convince victims of their authenticity. And often, these links in emails and texts can lead to fake websites looking for victims to update their financial information with a company that they already regularly use, for instance, Amazon or Apple. When receiving communications from what we think are large companies that individuals or organizations regularly interact with in the United States, victims already have an element of trust in what they have been sent. This trust is what threat actors in this kind of compromise, capitalise on.
When understanding phishing attempts, we need to look at the methods that threat actors use to target their victims. The first and most prominent method for phishing is email. Threat actors using emails to send targeted attacks often use themes for their email content and subject lines. The following list are subject lines that have been observed being used in previous real-life phishing attacks in the United States:
- IT: Annual Asset Inventory
- Changes to your health benefits
- Twitter: Security alert: new or unusual Twitter login
- Amazon: Action Required | Your Amazon Prime Membership has been declined
- Zoom: Scheduled Meeting Error
- Google Pay: Payment sent
- Stimulus Cancellation Request Approved
- Microsoft 365: Action needed: update the address for your Xbox Game Pass for Console subscription
- RingCentral is coming!
- Workday: Reminder: Important Security Upgrade Required
Phishing attempts won’t always ask for details or finance information immediately, they often appear to inform victims of key information that convince them of the legitimacy of the communication. These emails or texts may use the following ruses as convincers:
- say they’ve noticed some suspicious activity or log-in attempts
- claim there’s a problem with your account or your payment information
- say you must confirm some personal information
- include a fake invoice
- want you to click on a link to make a payment
- say you’re eligible to register for a government refund
- offer a coupon for free stuff
A common phishing scam in the United States is the Netflix payment scam. A malicious party will attempt to gain financial information from an individual via email. The email looks seemingly legitimate and uses the same branding and logo as Netflix. The email contains information about a billing issue with the individual’s account and provides a quick and easy button that when clicked on takes the victim to a false billing update page. Once the card information is entered the threat actor can now use the stolen information provided.
There are ways that you can mitigate these phishing attempts, particularly when receiving seemingly legitimate emails from large companies such as, Netflix. They are as follows:
- Check the email address that you are receiving the email from, is it the legitimate company email address?
- Do not click on any attachments or links until you are sure that the email is legitimate, if you are unsure always air on the side of caution and delete the email.
- Phishing attempts concerning billing issues are the most prominent, if you have received an email of this kind, first check your account of your official app or website. If there are no billing issues on your account, you know that the email is a scam, or you can update the issues on the website/app directly to be safe anyway.
- Phishing emails are often sent to hundreds or thousands of individuals at a time, so they will contain generic greetings such as, ‘Hi you’, ‘Hi Dear’, very few will contain your name.
Following these mitigation techniques can help to not only spot these phishing attempts but also to help avoid falling victim to them. However, if you think you may have fallen to a phishing scam there are steps you can take. These steps were set out by the US Federal Trade Commission. If you think a scammer has your information, like your Social Security, credit card, or bank account number, go to IdentityTheft.gov. There you’ll see the specific steps to take based on the information that you lost. If you think you clicked on a link or opened an attachment that downloaded harmful software, update your computer’s security software. Then run a scan.