Phishing Attacks Became a 2020 Epidemic Amid Increased Use of Digital Services, Here’s How to Avoid Them
The top 10 phishing scams so far this year and ways to protect yourself.
Key Takeaways:
October is Cybersecurity Awareness Month, and it’s more important now than ever to remain safe online.
- Phishing scams are on the rise. The top phishing scams of 2020 honed in on fears about COVID-19, economic challenges, unemployment, and bills/purchases.
- The Federal Trade Commission estimates that American’s lost $1.48 billion to phishing scams in 2018.
- Phishing scams target consumers primarily through email, secondarily through text messages and do also reach out via direct phone calls.
- Follow the tips and advice provided by the National Cybersecurity Alliance.
- Download the new Edison Mail+ security subscription for unparalleled inbox protection against phishing emails and superior control to identify and block bothersome SMS/text message senders and callers.
October is National Cybersecurity Awareness Month (NCSAM), the annual time that U.S. Homeland Security promotes online safety and mindfulness about digital threats against consumers today.
This year, in the wake of the COVID pandemic, consideration of cybersecurity has reached a new height of importance.
All of us are home more than ever before. More of us are relying on digital services and adopting online lifestyles to do our shopping, buy our groceries, food, and entertainment. Consumers are working from home and sending their children to virtual schools at unprecedented levels.
All of this is happening away from the safety of company IT security and network firewalls, at a time when our fear over our personal health and safety is at its highest. Sadly, scammers and cyber attackers know this, and have been using this opportunity to unleash a barrage of new phishing attacks on potential consumer victims.
The Top Phishing Scams of 2020
Seemingly as soon as the pandemic hit, scammers were coming up with new ways to take advantage of you. By engineering phishing emails about hot topics and phrases related to popular consumer online activities like shopping and streaming entertainment, scammers increase the chances of an unsuspecting consumer clicking infected links or malicious attachments. Here are some of the top phishing scams that made news headlines in 2020.
1. The COVID-19 Themed Phishing Scam
Back in March when panic about COVID-19 hit the US, phishing scam emails offering phony cures, fake masks, economic payment and stimulus checks, government impersonations, employment scams, and product shortage price gouging scams ran rampant.
The Better Business Bureau (BBB) issued a press release reporting an email impersonating them selling hand sanitizer after it was flagged.
Since the start of the pandemic, a whopping 1 in 4 Americans have received a COVID-19 related phishing email targeting the fears and sympathies many have regarding the pandemic. According to The Straits Times, in the first half of this year, the amount of money lost to such scams was about $268,000, which is 67 times the $4,000 lost during the same period last year.
The scammers behind these phishing scams are smart and constantly innovate their scams in order to get clicks and cash. There have even been larger scale and internationally coordinated phishing attacks like Russian cyber hackers who sent malware and fraudulent emails to UK, Canadian, and US organizations to access COVID-19 vaccine research and information about medical supply chains. Other cyber scammers used fake emails and cloned websites to try and trick German health authorities into spending $16 million on nonexistent face masks.
2. The Fake Invoice Phishing Scam
In January, Puerto Rico’s government lost more than $2.6 million after falling for an email phishing scam. The island’s Industrial Development Company transferred the money on Jan. 17 after receiving an email that alleged a change to a banking account tied to remittance payments.
In February, “Shark Tank” judge Barbara Corcoran lost nearly $400,000 in an elaborate email scam that tricked her bookkeeping staff into paying a fake invoice sent for a renovation payment.
Amazon was also victimized by a phishing attack in August after scammers in New York wrangled the company out of $19 million by sending the company fake vendor invoices.
3. The Tax Rebate Phishing Scam
Another phishing scam sent fake invoices to PayPal customers from the IRS as well as the World Health Organization (WHO) for something called a “2020 coronavirus tax rebate.” In an email that appeared as if it were sent from PayPal, unsuspecting Paypal users were informed that they were receiving an invoice and owed $100 for something called the “2020 coronavirus tax rebates.”
“Because you pay your income taxes on time, you have been awarded a free $12,500 government grant,” the fake invoice states. “To get your grant, simply give us your checking account information, and we will direct-deposit the grant into your bank account!”
Hoping to receive some extra financial help, victims paid anywhere from $20 to $250 each during a time when money was already likely low.
4. “Package Pending”/Shipping Confirmation Phishing Scam
The Federal Trade Commission (FTC) warned college students that a new package delivery scam might be targeting them via text message on their phones. The messages inform college students that a package shipped to them has been waiting for them since March, when many schools were shut down and students were forced to leave campus for home. The text includes a link to a website where the scam asks the recipient to enter login information for one of their accounts, such as your email or possibly bank credentials.
Another phishing email that targeted Amazon shoppers was reported after the message impersonating Amazon containing a phony shipping confirmation message listing a charge of several hundred dollars to entice consumers into clicking on a button to “View or manage order” and give away their account credentials or other personal information.
More recently, a text message-based phishing scam claiming to have a delivery from USPS also made the news.
5. “You’ve Been Hacked” Phishing Scam
In January, Paul Krugman, the Nobel Prize-winning economist and columnist for the New York Times, fell for a phone phishing scam alleging his IP address was compromised and being used to download child pornography. After tweeting about the call from his “security service”, Krugman was flagged that the call itself was a phishing scam to get his information.
A variation of an Amazon phishing scam claims your recent Amazon order has been canceled due to fraudulent activity in your account.
Other instances of phishing scams similarly involve emails or calls to victims claiming they have been hacked and the scammer has indecent or lude photos or video they will release publicly unless paid a form of ransom. This is also known as a “ransomware” attack.
6. Social Media Phishing Scams
In June, a LinkedIn phishing scam saw hackers send fake job offers to targeted individuals through LinkedIn’s messaging service. The messages contained malicious attachments designed to phish valuable data from aerospace and military companies.
On July 30th, Twitter revealed that hackers obtained user login credentials through a sophisticated spear-phishing campaign aimed at a select group of employees. Using these credentials, the hackers were able to gain information about Twitter’s internal processes, which ultimately gave them access to high-profile, verified Twitter accounts. The attackers then sent out fake tweets from these Twitter accounts and included links to a phishing website designed to steal cryptocurrency.
7. The Netflix Phishing Scam
Recently, an email or text message from Netflix asking you to update your payment details caught attention as a new type of phishing scam, as the streaming giant does not ask for credit card or bank account details via e-mails and text messages. Instances of the phishing scam seeking credentials due to Netflix account billing payment failures has been reported in several countries.
8. Debt Consolidation/Bank Employee Phishing Scam
In May, calls to consumers from scammers impersonating Wells Fargo employees who were requesting the victim’s personal information were reported as a phishing scam promising to consolidate debt.
9. Microsoft OneNote Phishing Scam
A phishing campaign was recently discovered leveraging OneNote, Microsoft’s digital notebook that automatically saves and syncs notes, to bypass detection tools and download malware onto victims’ systems. In the scam, an email was sent to companies pretending to be a marketing manager sending an order invoice.
In an example of how complex phishing scams can be, threat actors swapped out the layout of a fake phishing-engineered OneNote page, cycling between four different templates to deliver a credential phishing portal and unique malware samples.
10. Apple iPhone 12 Phishing Scam
With the anticipation of Apple’s new iPhone 12, scammers have reportedly began sending out SMS/text messages to potential victims in an effort to lure them into sharing credit card details.
“Congratulations, you received an opportunity to be in the testing group for our newest iPhone 12 as part of the Apple 2020 testing program,” the phishing message reads and is intentionally designed to appear as though sent from an Apple chatbot.
Tips to Avoid Phishing Scam Efforts
The importance of cybersecurity in 2020 can’t be understated. To help you get familiar with how to attempt to avoid these pervasive online threats, we’ve compiled a list of ways you can stay safe this year and the years to come.
Do your part, be cyber smart
This year, National Cybersecurity Alliance’s theme is “Do Your Part. #BeCyberSmart.” This theme is to empower both individuals and organizations to get the tools to protect themselves from cyber attacks and cyber hacks. Throughout the month of October they’ll produce weekly content that you can follow along in order to be safer online. The topics are “If You Connect It, Protect It”, “The Future of Connected Devices” “Securing devices at Home and Work”, and “Securing Internet-Connected Devices in Healthcare”. The last two themes are of particular importance in 2020, as so many people are now learning and working from home and the healthcare industry is increasingly relying on internet-connected devices.
To follow along with the National Cybersecurity Alliance, check out their website, and see how you can get involved.
Keep your kids safe online
If you’re a parent, there’s a good chance your children are currently distance learning. As they spend more time on their screens, they become exposed to increased danger. As UNICEF recently tweeted, “As we tackle #COVID19, many children’s worlds have shrunk to just their screens. This leaves them vulnerable to online sexual exploitation, grooming, violence and bullying.”
This isn’t to say that your child is in immediate danger, but it’s important now more than ever to have frank and honest conversations about the threats that exist online. The FBI recommends that you discuss internet safety with your children regularly, teach them about body safety and boundaries, remind them that online nothing is private, and encourage them to have open communication with you.
If your children are especially young, it may pay to set up some parental controls and monitor their online activity to make sure that nothing untoward is happening when you’re not there. PCMag has a list of their top options for 2020, as does TechRadar.
It’s also important to remember that while children born into the internet are able to better detect phishing threats, that scammers are smart and are constantly reinventing their tactics. Remind your kids to not automatically trust any messages — especially if they sound too good to be true.
Reduce work from home risks
When we were all working in offices, we could rely on our company’s network firewall, secure wifi, and IT security team to keep us safe. But now that many of us have been left to fend for ourselves, armed with only our work computers and our home wifi networks, we’re much more vulnerable to cyber attacks.
The first things you should do — and probably should have been doing already — are use passwords for all your devices, encrypt devices that carry sensitive information, use multi-factor authentication, and update your software. The last item is especially important, as many of these software updates include bug patches and further protections.
It’s also important to secure your wireless network at home, particularly if you’re handling any sensitive data. Turn on encryption (usually WP2 or WP3) to ensure that nobody can read the information sent over your network. Learn more about how to secure your home’s wireless network from this FTC guide. You can also use a Virtual Private Network (VPN) to protect your online identity and browse more securely.
Lastly, reach out to your employer to make sure you’re following their guidelines and safety protocols. As your home is now another office extension, you’ll need to treat it as such.
Pay close attention to the emails you receive
The ever growing threat of phishing attacks can do more than just scam you of a few hundred dollars — they can gain access to your bank account, steal your phone number, infect your computer with malware, and steal your identity. While your email’s spam filter may catch many of the phishing emails headed your way, it unfortunately can’t catch all of them as these online scammers think of smarter tactics. On top of that, detecting these phishing emails only gets more difficult year after year.
Something to remember about these phishing emails that make it through your spam filter is that they are often made to elicit some strong emotion followed by action. This emotion may be sympathy, it may be rage or it may be fear. For example, many cyber scammers have started impersonating well known companies that you subscribe to, letting you know that somebody has hacked your account and requires immediate action. The first thing you should do when you receive this type of email is inspect the sender’s address to make sure it’s legitimate. If you’re not sure from that, you should look up whether or not that company sends emails like this. If they do, inspect what those emails look like and compare the two. It may also be helpful to look up if there are any reported phishing emails impersonating that company going around. If they’ve attacked you, they’ve likely attacked others as well.
But maybe you fell for a phishing scam and you replied with some sensitive personal information that could be used to steal your identity. What you should immediately do is go on IdentityTheft.gov and follow the instructions on the site. If you’ve accidentally downloaded what might be malware, try to update your computer and run a scan. More information about this can be found on the FTC website.
Use Edison Mail+ to keep your phone secure
However, you can only keep yourself so safe without some backup. You’re busy with your life, and you likely don’t have the time or energy to keep up to date with the latest techniques cyber hackers have come up with. For those with already too much on their plates, Edison Mail offers Edison Mail+.
Edison Mail+ is a subscription service offered by Edison Mail that brings groundbreaking digital safety technology straight to your mobile device. Edison Mail+ is the only service that offers a critical extra layer of deep-scan protection to detect, warn, and verify potential email attacks as soon as they enter your inbox. This ability, a feature in the service called Verify Sender, will save you precious time trying to decide if an email is legitimate or not by doing the work for you. A whopping 98% of email senders don’t configure their domains securely via DMARC and they require additional anti-phishing protection for effective security.
Verify Sender operates in the background as you use your email as usual, detecting name spoofing based on your previous communications, and alerting you if you’ve received an email from an invalid disposable domain. Applying four-levels of deep investigation into new emails you receive, if an email sender or message doesn’t appear or react as authentic email should, you’ll see a warning in bright orange when you open the message.
Once you tap on this warning, you’ll be led to a page that walks through every check run — the validity of the email header, the validity of the email address, whether or not the address is found in a spam database, and if the sender is attempting to spoof someone’s identity — letting you know exactly where the risk is.
Tighten Up Other Areas of Cyber Security
As with every other October, there are efforts from many organizations to raise awareness about the importance of different areas of cybersecurity. Edison Mail previously joined this important conversation in 2019 and 2017 with even more helpful tips and tricks to stay safe from malicious scammers targeting your online safety.
Since launching on iOS in April 2016, Edison Mail has blocked over 1 billion read receipt tracking attempts for its users, sent 14 million+ flight notifications (i.e. on-time vs. delayed, gate changes, etc.), provided shipping alerts for over 115 million packages, and organized over 660 million receipts. If you have any recommendations or requests for features you think will help make email more enjoyable, tweet us @Edison_Apps or email us at mailsupport@edison.tech.
