IT Security Blog | Rivial Security

8 Phishing Attack Examples for 2023 | Rivial Security

Written by Randy Lindberg | 07 Jan 2022

Phishing attacks appear to be on the rise. In fact, Forbes reported that Google registered more than two million phishing sites in the year 2020. This number is up 27% from the previous year. Cases of identity theft and malware attacks have also spiked making 2020 the worst year in terms of data breaches and cyber attacks. That said, below we’re sharing eight phishing attack examples you need to be aware of, and protect yourself from.

 

1. A call/email with a threat to deactivate/close an account

Any time you receive an email or phone call with a threat, or urgent matter related to an account of yours, it should be a red flag. Unfortunately, this is one of the most prevalent phishing attack examples. In many cases there will be a demand associated with the threat and you will feel a sense of urgency. The criminals are hoping to take advantage of your fear. They will ask you for sensitive data, and sometimes give you a weblink where you can login and “take care of the matter.”

 

The fix: Stay calm, and don’t click anything, visit unknown addresses, give any data, or pay for anything. Instead, do the following:

 

Phone Calls:

 

  • Tell the caller you will look into the matter and get back to them as soon as possible
    • If they protest about hanging up, that’s another red flag
  • Head to the account in question by typing the address you know to be correct into your web browser, or call the company they are warning you about, and investigate the claim on your own
  • Block the caller if you determine it’s a phone call (which it likely is)
    • Note: Some criminals have gotten sneaky and can spoof a legit number. This happened in 2020 with Godaddy when a hacking group spoofed the legitimate Godaddy Customer Service number, but it wasn’t actually their team calling customers. Always use caution when you receive a call out of the blue, and call the legitimate numbers back after you investigate the matter

Emails:

 

  • First, never click any link in an email from an account you don’t recognize. Read our post on how to tell if an email is fake or legitimate
  • Follow the same protocol of handling phone calls, and either visit the website or call the company to investigate the claim
  • Flag the email as spam
    • If it was a Paypal email, forward it to spoof@paypal.com and they’ll investigate on your behalf
    • Other companies have similar reporting methods if you choose to warn them about fake and spoofed emails and websites

 

In most cases you will find that the caller or individual emailing you was not who they claimed to be. Bad actors often send fake emails and make phone calls in an effort to extort money or information out of their victims.

 

If you are at all concerned about your employees’ understanding of the importance of keeping your data secure, considering reaching out to Rivial Security for support with a social engineering test.

 

2. Websites that look like real websites, but are spoofed/fake

Sometimes we click links in search engines, on social media, and by other means thinking  we are headed to an intended address. In truth, we’re headed to a fake website that has been made to look like the website you wanted to go to, but it’s not.

 

The fix: Use caution when clicking any link. It’s always best to type an address into your browser’s address bar to ensure you’re visiting the intended website. If you do click a link, look for the following warning signs to see if it’s a fake/spoofed site:

 

  • Read the address carefully for misspellings or strange characters - for example, mcd0nalds.com has a zero where the “o” should be
  • The logos are discolored - for example, the red Coca Cola label appears almost orange or purple
  • Bad spelling and horrible grammar - legit companies make mistakes sometimes, but they are far less likely to have a page plagued with multiple errors
  • Broken links and/or pixelated images

 

The best advice we can offer here is when in doubt, close the page!

 

3. “Evil Twin” Wireless Connections

This is one of the more recent phishing attack examples, and it involves creating fraudulent Wi-Fi access points. Essentially, the user thinks they are headed to a free and legitimate Wi-Fi hot spot, when in fact, one or more characters have been changed leading the user to a digital space that allows cybercriminals to eavesdrop. While you’re on “their network” they can see the websites you are visiting, steal your passwords, and monitor your activity for other sensitive data.

 

The fix: Either avoid free Wi-Fi hot spots completely, or at least confirm you have the correct information before blindly connecting. Also, when on a free Wi-Fi hot spot, never visit a website you have to log into such as your bank or even your Facebook. Read the FTC’s Tips for Using Public Wi-Fi Networks for more advice

 

4. Phishing via Smartphone

Another of the more recent phishing attack examples, phishing via smartphone typically involves sending a text message with a link to a fraudulent website. The most common fake text messages are to let you know about the status of a delivery via UPS, FedEx, or USPS. However, other examples include warnings of overdrafts and unauthorized access to your accounts.

 

The fix: Never click a link in your text messages. Instead, investigate the claim of the text by visiting the website directly, or by calling your bank (if applicable). And, if you didn’t order anything and aren’t expecting a delivery - it’s even more likely that the text was fraudulent.

 

5. Phishing on Social Media

Criminals are getting quite good at spoofing social media accounts. They copy every detail and even download the images of the person to create an account that looks identical to the person they are pretending to be. Then, they send a friend request to all the people on the actual person’s friends lists hoping no one will notice it’s a duplicate account.

 

The fix: Always check to see if you’re already connected with the matching account name. If so, it’s likely that it’s a spoofed account contacting you. 

 

Another key indicator it’s fake is that they only have one or two, or even a handful of friends. Also look for a lack of updates, or several updates being posted within the last week. Finally, if you can - contact the actual person directly and ask them if they are the one who reached out.

 

6. Malware or Malicious Advertising

Typically, this phishing technique involves fake ads or pop-ups with the hope you will click it and be directed to a malicious website. CSO Online explains that on some legitimate websites, cyber criminals will purchase advertising and place malicious ads in the space. The bad actors will place ads that “appear legitimate, [but] they have malicious code hidden inside them. Bad ads can redirect users to malicious websites or install malware on their computers or mobile devices.”

 

The fix: Use caution with every web click. And, if the ad says it is directing to a website, hover over the ad with your mouse and see what the address is that you will actually be directed to. As always, the best option is to type a web link directly into your address bar to ensure you are going where you intend to.

 

7. Promises of a Windfall

This phishing technique has been around for decades, and is often referred to as the Nigerian email scam. You receive an email or phone call saying you won a prize, or that you are receiving an inheritance. All you have to do is give your bank account information.

 

The fix: If it seems too good to be true, odds are it’s a phishing attempt. Never give your banking details to an unknown caller.

 

8. Fake Government Agency Warning

Luckily, most people are getting wise to phishing attack examples like this. However, for those who aren’t aware, the way these warnings work is you receive a phone call or an email that you are being investigated for a crime or violation of some penal code.

 

The fix: Government and law enforcement officials will never email you or call you as a first method of contact in the event you are actually being investigated. And, they will never demand payment to settle a claim via email or phone either.

 

Over to you - were you aware of these common phishing attack examples? Or did some of these surprise you? If you know someone who could benefit from seeing this post, please share it with them. We all must do what we can to protect ourselves from nefarious individuals. Hopefully, this post will inspire you to be a little more careful when interacting online and answering phone calls.

 

Looking for support on understanding how phishing attacks can harm your business? Get an IT Risk Assessment from Rivial Security or schedule a strategy session with us today: