Catches of the month: Phishing scams for June 2021

Welcome to June’s review of phishing scams, in which we look at the criminals’ latest tactics and provide examples of successful frauds.

This month, we look at a scam in which victims are sent a cryptic email asking if they want to unsubscribe to an unnamed service, and look at the rising trend in phishing attacks targeting high street banks.

Fraudsters bamboozle victims with ‘unsubscribe’ options

A recent Bleeping Computer article took a closer look at one of cyber criminals’ more puzzling tactics.

These scams don’t imitate a legitimate organisation or suggest that something terrible will happen if recipients don’t act now. They simply ask if you want to subscribe or unsubscribe.

They don’t explain who the email is from or what the recipient is subscribing or unsubscribing to.

You might think, therefore, that this is just a basic spam campaign. But as Bleeping Computer explains, there’s a lot more to it.

The emails are intended to verify if the email addresses are valid and whether recipients are likely to respond to unsolicited messages.

Anyone who responds to the message will find that the message is sent to not just one email address but dozens.

For fraudsters, the purpose of these emails is to identify people who are likely to respond to scam emails.

Once they’ve identified a potential target, the crooks will then bombard the victim with spam messages in the hope that they fall victim.

As such, anyone who receives an unsolicited email asking if they want to subscribe or unsubscribe should mark it as spam and not respond.


Test your employees’ ability to detect a scam with our simulated phishing attack

Our Simulated Phishing Attack service sends your employees a typical example of a phishing email without the malicious payload.

This gives you the opportunity to monitor how your employees respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them?


Scammers imitate Santander in a pair of vishing scams

Banks are frequently used as bait in phishing attacks – so it’s perhaps not a surprise that we found two such scams this month, both of which emulate Santander.

The first involved an SMS supposedly from the bank claiming that a new device had been registered for online banking.

The message read, “If this was NOT done by you, please visit: internet-security-verifydevice.com/santander.”

Eagle-eyed readers should suspect that this is a scam because Santander isn’t in the domain name (i.e., internet-security-verifydevice.com’). Anyone can purchase a domain like this, then create parts of its website dedicated to different banks, including Santander.

This is a common trick among scammers, and it’s highly successful. Many people aren’t aware of the structure of domains and subdomains, so when they see the name of the organisation, they have no reason to doubt its legitimacy.

However, this scam demonstrates how important it is to take a closer look at any links you are sent. It only takes a moment to do, and it’s a sure-fire way of protecting yourself from one of the biggest pitfalls people fall into.

Meanwhile, the Guardian reported on another scam in which attackers replicated Santander.

It began with a Royal Mail postage fee scam, with the victim –70-year-old Julia Whittaker – being asked to pay a £2.99 delivery fee, but escalated into a far more elaborate scheme.

Once the scammers had captured the Whittacker’s bank details, they phoned her claiming to be from the fraud department of Santander.

Over the next few days, the scammer convinced her that her bank account had been compromised, and persuaded Whittaker to visit her local branch and transfer £35,000 to a different bank, where is would supposedly be safe from the criminals.

Unfortunately, the account belonged to the attackers themselves, and although Whittaker eventually got the money back, not everyone is so lucky.

Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness Training Programme.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.