Story image

Caught in the wild: A look at email scams and spam

21 Aug 2018

When we first opened our doors nearly 15 years ago, spam was causing major problems in corporate inboxes. While spam bogged down users, the messages themselves weren’t typically malicious. A lot has changed since then.

Today, cybercriminals are using all types of tactics to launch attacks through email, including some clever phishing campaigns where the most effective line of defence is the human firewall.

The human what? In a world where organisations have vendors jumping in front of each other to deploy their “best-of-breed” security solutions at headquarters and everywhere else, the only thing between your company and a ransomware attack could be whether or not your users click or don’t click on a malicious link.

Every day cybercriminals come up with a wide variety of phishing tactics with the intent of scamming innocent users. In May alone, Barracuda blocked over 1.5 million phishing emails and saw over 10,000 unique phishing attempts – the same email content, potentially sent to hundreds or even thousands of people. In most of June, Barracuda blocked 1.7 million phishing emails with over 2,000 unique attempts.

Here are some of the real attempts sent by criminals:

1. Money scam

Criminals attempt to scam users out of money. In similar attempts, we’ve also seen criminals try to acquire information or infect a computer with malware.

Money scams like this are fairly common. They often promise a large sum of money to the user like this one. When the recipient replies, the criminals usually request a smaller sum from the user, and in return, promises to send a larger sum back — which of course never happens.

2. Information scam

Cybercriminals attempt to gather information from a user. In this case, a spoofed bank message tries to convince the user to act on their request.

The criminals did a decent job of making this message appear to actually come from a bank. However, if the user clicks on the link, they could be prompted to enter their credentials in a different window — ultimately surrendering their username and password.

3. Malware distribution

Another common problem users face from phishing is the distribution of malware. The goal is to trick a user into either opening an attachment or clicking on a URL.

In this example, criminals are trying to convince the user to open an attachment by acting as if the document is pertaining to an urgent matter. For the malware to work, criminals have to get the user to install the software on their computer. Malware can be distributed in many forms including viruses, worms, bots, ransomware, password stealers and more.

4. Multiple file extensions

Phishing attempts often require a user to open an attachment to install malware. However, there are a lot of different ways criminals attempt to convince users to do this. One way is that they’ll include attachments with multiple file extensions in an attempt to trick users into thinking that the file type is different than it actually is.  

Here the criminals are using a “PDF.zip” file extension, which should raise a red flag to the user because they’re two different file types. However, this could easily be looked past since they’re also file types that most people would find familiar.

5. Disguised links

Not all threats come in the form of email attachments, which is why links should also be handled with just as much scrutiny.

The link itself doesn’t look suspicious; however, the link actually points to an entirely different URL. Not only can links like this be used to spread malware, they can also direct users to sites set up by criminals to capture credentials or other personal information.

When unsure, don’t click on a link. You can also hover the cursor over the link without clicking, to identify the actual location of a link.

6. Spear phishing   

While phishing refers to mass targeting, spear phishing messages are specifically crafted to target a single, specific individual to create a sense of trust with that person. Spear phishing attempts regularly use impersonation techniques to convince recipients that the message is coming from a real source.

Effective spear phishing takes a great deal of reconnaissance about the target to increase the probability of a user actually falling for an attack. Here’s an example where criminals actually took the time to register a deceptive domain that contains the name of an actual entity to appear legitimate.

They obviously want the message to appear like it’s coming from Netflix; however, if you look closely at the URL, you’ll notice that “Netfliix” is actually spelt incorrectly. This technique is called typosquatting, which is often used to sell the ruse when the attacker wants the user to click a link.

Take action 

All of these examples are just a small sample of the many variations of phishing scams criminals are sending out each day, but they certainly make the case for why today’s users need to be properly trained to stay safe online.

The best defence against phishing and spear phishing is to make users aware of the threats and techniques used by criminals. The best approach is to implement a simulation and training program to improve security awareness for your users, to help them recognise subtle clues to identify phishing attempts.

Article by Barracuda Networks senior sales engineer Mark Lukie.

Security flaw in Xiaomi electric scooters could have deadly consequences
An attacker could target a rider, and then cause the scooter to suddenly brake or accelerate.
Four ways the technology landscape will change in 2019
Until now, organisations have only spoken about innovative technologies somewhat theoretically. This has left people without a solid understanding of how they will ultimately manifest in our work and personal lives.
IDC: Top 10 trends for NZ’s digital transformation
The CDO title is declining, 40% of us will be working with bots, the Net Promoter Score will be key to success, and more.
Kiwi partner named in HubSpot’s global top five
Hype & Dexter is an Auckland-based agency that specialises in providing organisations with marketing automation solutions.
Moustache Republic expands Aussie presence with new exec
The Kiwi digital commerce partner has appointed a Sydney-based director to oversee the expansion of the company’s Australian footprint.
Epson’s new EcoTank range with two years printing per tank
With 11 new EcoTank printers that give an average user two years of printing and cost just $17.99/colour to refill, Epson is ready to change the game.
Te reo Māori goes global via language app called Drops
If you’re keen to learn a few words of Māori – or as much as 90% of the language, you may want to check out an Android and iOS app called Drops.
Reckon Group announces a steady profit in 2018
Reckon continued its investment in growth throughout the year with a development spend of $14.3 million.