As the world grows increasingly digital and dependent on the internet, cyberthreats are constantly evolving to clash with newer and more rigid security features. Despite cybercriminals’ propensity for finding new and innovative ways to take advantage of their targets, however, there are also tactics that have been in use since the early days of the internet. These tried-and-true methods continue to work more than 25 years after the advent of phishing, but educating yourself on what scams look like can help you not to fall victim to them.
1. Impersonating known senders
“Every phishing scam involves imitation”, and this has been true since phishing began. This is how scammers pull their victims in, using an assumed identity and falsified credentials to lower their guard, hence the term phishing. Imitating an institution or figure that is known to and trusted by the recipient increases the chances that the message will be viewed and read with an open mind. The “lure” can come in many forms, but it relies principally on making the target believe that the message originates from a legitimate source in order to draw them in.
Scammers will send emails that are fabricated to look like they come from a company, website, or public figure. When people receive these emails, it lulls them into a false sense of security to think that it is an official communication. Along with other tactics, this strategy ultimately serves to make the victim share personal information, submit a payment, download malware, or otherwise compromise their security.
2. Malicious links and files
Many of the messages sent by scammers tend to contain links or file attachments. Of course, many innocuous emails also contain links and attachments, which is why this tactic continues to work. Links can be tampered with so they look official and above-board to trick targets into clicking on them, only to be redirected or otherwise duped. A link file attachment that seems to be coming from a major corporation or the like is one that people implicitly trust, and that can be their downfall.
The attacks contained in these files and links range from malware and bugs, to a fake landing page that requests login credentials. Whatever the criminals want from their victims, be it money or data or simply to infect their devices, they achieve it by playing on the well-known human tendency to curiously open a file or link without thinking too hard about whether the source is secure or trusted or, indeed, whether the source is even what it is purported to be.
3. Manipulating expectations
One of the strongest tools in the cybercriminal toolkit is the use of social engineering to maximize the chances of an attack’s success. In fact, social engineering is a strong factor in why impersonating trusted senders and including links and files are such effective tactics, but it goes far beyond that, as well. In addition to being comfortable with technology, attackers have to understand how people work and think in order to effectively carry out a scam.
More often than not, phishing attacks require an action on the part of the recipient in order to take effect, so the message often has precise wording that is strategically selected to spur the recipient to action. This includes missives requesting a time-sensitive response, which encourages the target to act now and ask questions later. Attacks also play on the human desire to help others, such as by impersonating a family member asking for money, as well as sheer curiosity, like when an official-looking link entices you to click on it.
4. Adapting tactics
Almost counterintuitively, a time-honored tactic in phishing is to adapt it for various purposes over time. The first phishing scams were carried out on America Online (AOL) when it was the number one internet provider and still somewhat new. The growth of the internet since then has been rapid and constant, and cybercriminals have always been quick on the heels of new developments to take advantage of the novelty and the vulnerability of systems with kinks that have yet to be worked out. Scammers will always jump on an opportunity to take advantage of different media and technologies.
Phishing attacks have been carried out not just through email, but phone calls, text messages, and social media. As security systems have become more stringent, cybercriminals have become more savvy: some attacks, for example, impersonate websites’ two-factor authentication pages. With the growth of online banking and all industries becoming increasingly digital, scammers have seized the chance to impersonate corporations and financial institutions. More recently, phishing has been used in attacks concerning Non-Fungible Tokens (NFTs) and cryptocurrencies.
While some cyberattacks are extremely easy to spot, containing spelling and grammar issues or obviously originating from an unofficial source, others are insidious and effective. Being aware of the tricks that scammers use is the only way to begin to prepare for, and hopefully prevent, cyberattacks. Watching out for these sneaky tactics and staying on guard when it comes to internet communications is a big step in protecting yourself against phishing and other scams.
About the Author:
PJ Bradley is a writer on a wide variety of topics, passionate about learning and helping people above all else. Holding a bachelor’s degree from Oakland University, PJ enjoys using a lifelong desire to understand how things work to write about subjects that inspire interest. Most of PJ’s free time is spent reading and writing. PJ is also a regular writer at Bora.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.