×

Phishing Tricks That Don’t Look Like Phishing

Phishing Tricks That Don’t Look Like Phishing
Technology

Phishing Tricks That Don’t Look Like Phishing

Modern phishing transcends the poorly-worded emails we used to associate with this type of cyberattack. It’s now an even more widespread, potentially highly sophisticated threat that even the most tech-savvy among us might not spot.

Here’s how phishing has evolved, and what you can do to remain safe.

Modern Phishing Techniques Explained

Modern phishing subverts every aspect of the scam’s traditional version, from the hooks used to payload delivery methods and outcomes. These are the particularly tricky variants to watch out for.

OAuth or consent phishing

This is an attack that piggybacks on legitimate services. First, attackers create a malicious app and register it with a legitimate authentication platform, like those from Google and Microsoft. Victims might then receive a message from a “colleague” with a link to a file that’s supposedly too big to attach to an email or in an obscure format.

They’re directed to an app consent screen that asks for invasive access to services like email, calendars, etc. Victims don’t suspect anything since the authentication portal itself is legitimate. However, the access they grant lets attackers sift through mail and documents, use the victim’s email address to trick others, and more.

QR code phishing or quishing

Most people are rightfully hesitant to click on suspicious links, so attackers find ways to make the act seem less threatening. Scanning a QR code is familiar and seems safer to mobile users, but it can be just as devastating.

Quishing happens when attackers embed malicious links into QR codes. These can replace links in a traditional phishing email but may also be found in e-receipts or out in the real world. The URLs the QR codes tend to display are usually shortened, which conceals their real destination. Accessing them may trigger a malware download or direct you to a fake login page that steals your credentials.

SMS scams

These are similar to classic phishing emails in the sense that they impersonate banks, companies, etc., and urgently want you to tap the link inside. Texts and services like iMessage are native to mobile phones, so messages received through them look legitimate.

Fake deliveries

This has become one of the most widespread forms of phishing since it exploits people’s online shopping tendencies and happens across platforms. You usually get an email, text, or social media notification claiming a delivery problem you can resolve by paying a fee or confirming your identity. It’s accompanied by a fake tracking link that leads to a credential-harvesting website or malware download.

Many people constantly expect packages and don’t give messages like these a second thought. Associated emails and websites use legitimate delivery company logos and layouts, making fraud detection even harder.

AI-augmented phishing

Artificial intelligence is being misused to create phishing scams that are becoming exceptionally hard to detect. The next generation of spear phishing attacks and generated messages are the most egregious examples.

Modern spear phishing uses AI to scrape the internet for available information on a company’s staff and activities. This lets attackers convincingly impersonate employees and contact their colleagues or higher-ups via email, LinkedIn messages, etc. These messages look professional and correctly reference detailed information or ongoing and past projects. Since recipients are used to such communication, they’re more likely to interact with included attachments and links.

The modern version of business email compromise (BEC) is even more disconcerting. Attackers generate deepfake audio or video clips that target high-ranking company officials or subordinates with the authority to transfer funds or reset credentials. An audio or video request like this sounds much more trustworthy than an email, so victims are more willing to comply.

Cybersecurity Tips for Staying Safe 

Despite becoming more widespread and sophisticated, modern phishing still isn’t a match for the right combination of cautiousness, common sense, and the right cybersecurity tools. Here’s what you can do to stay safe.

Verify the message

The most straightforward way of confirming a suspected phishing attack is to contact the supposed sender via official means. Send a colleague a Slack message. Call the official number listed on your bank’s or a delivery service’s website. It’s quick and brings the ultimate peace of mind.

Use a VPN as a deterrent

While it won’t prevent you from clicking on a phishing link, a VPN can save you from the consequences. Quality paid VPNs come with a threat intelligence layer that scans for threats in real time. They’ll block access to any malicious website flagged by their up-to-date databases.

Enable multifactor authentication

Even if phishing tricks you into exposing an account’s login info, MFA may still prevent disaster. Active two-step verification means stolen credentials aren’t enough for account access. Since attackers don’t have your phone or biometrics, you can reset your login info and lock them out.

Use eSIMs when traveling

Using Wi-Fi, especially abroad, makes you more vulnerable to some types of phishing. For example, connecting to a cloned Wi-Fi hotspot in an airport can lead to a fake captive portal that extracts your login info. eSIMs bypass the need for Wi-Fi since they use local mobile networks with stronger encryption and wider availability.

Related Posts

Post Comment

You May Have Missed