by Jon Lober | NOC Technology
Updated January 26, 2024
As phishing becomes a part of our daily lives, we wanted to present our readers with some real-life examples of how phishing impacts real people and businesses every day.
Phishers have been testing the internet’s waters for years, and their skills have improved dramatically—as have their catches. Each service and resource that moves online represents an opportunity to land one more victim. Phishers keep trying out new lures, attempting to stay one step ahead of the tools and training of cybersecurity professionals.
NOC is reaching out to our community to ask for their own phishing stories, which we will share over the following weeks. Many stories will be anonymous, but we wanted to start with a recent personal story of a basic phishing attempt on one of our own staff’s personal email accounts.
Each of “Phishing Reports” will include a detailed description of the phishing attempt, the methods used (the lures), the result (the catch), and suggestions for how readers can detect or avoid such an attempt.
The FBI (Federal Bureau of Investigation) defines phishing as “the use of unsolicited email, text messages, and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.”
Practically, this means that someone contacts you, pretends to be from a legitimate company, and tries to get you to share your personal information with them. Once they have enough personal information, they can use it to access your accounts to steal your money, blackmail you, or sell your information on the dark web.
In its 2022 Internet Crime Report, the FBI recognizes phishing as the most commonly reported type of cybercrime, with more than 300,000 reported attempts in 2022 resulting in a combined loss exceeding $50 million.
Though most phishing happens through email, the crime has many variants. Smishing refers to such an attempt via SMS text. Vishing or “voice phishing” happens over the phone or through voice message. Angler phishing happens through social media accounts.
“Spear phishing” uses a full suite of refined social engineering tools to imitate real individuals that could be known or trusted by the target. These attacks normally aim to steal sensitive information or large amounts of money.
Due to its complexity, spear phishing is often classified completely separately from run-of-the-mill phishing. One specific subset of spear phishing, known as Business Email Compromise (BEC) is estimated by the FBI to be the second-costliest type of cybercrime—even surpassing ransomware. In 2022 alone, the FBI reported an astounding $2.7 billion in collective losses to affected businesses.
When successful, BEC attacks have the unsettling potential to shut down small businesses through loss of reputation in the marketplace, downtime, and the gaping hole they leave in business finances.
In our “Phishing Reports,” we will share a diversity of attacks—both successful and unsuccessful—and keep you informed of how you can protect yourself and your business.
In June 2023, one of our staff members received an email from “PP Support Team #9387” with the subject line: “Your Purchase E-Receipt. Your Invoice NoPRX7-Q8W3ER4C8B46813283555 of item.”
Attached to the main body of the email was a PDF invoice, purporting to be from PayPal. At first glance the invoice appeared legitimate and included PayPal’s official logo. It also referenced an order ID, an item name (Bitcoin BTC), a specific amount ($994.43), and a payment status. At the bottom of the invoice was a telephone number for the “Cancellation Department” for any desired recourse.
In this common phishing scenario, the phisher did not reach too deeply into their tackle box—choosing instead to use a common set of lures. Although independently, each of these methods do not represent a terribly convincing scam, when they are combined, they could be enough to dupe an untrained or unsuspecting victim.
The scammer was hoping that the combination of these elements would convince the recipient to either call the number listed at the bottom of the invoice or respond via email. In either case, the scammer would have asked the recipient for their personal or financial information to “verify the account” or “start the refund process.” This information is the end goal of phishing.
Although the bad actors behind this attempted fraud did use several effective techniques, they also made some mistakes. In addition to their mistakes, most phishing emails have a dead giveaway right at the very beginning for those that care to look.
Once a user has identified a fake PayPal email, how should they proceed?
Although this example is somewhat sloppy, similar attempts are prevalent and often painfully effective. In May 2023, the FTC (Federal Trade Commission) issued an alert to consumers about PayPal-related phishing. Both the FTC and PayPal ask for affected consumers to forward such emails to them for analysis before blocking the sender and deleting the email from your inbox.
If you encounter such communication, never click any links, forward the email to the authorities, block the sender, and permanently delete the email.
Unfortunately, scammers are abusing far more than just PayPal. Read our other phishing reports to learn how to spot scams that spoof Geek Squad, Dicks Sporting Goods, QR codes, Microsoft 365, and others.
Contact us
Existing Customers
IT Support Near Me
IT Support based in Franklin County, MO | 1816 Hwy A, Washington, MO 63090