Catches of the month: Phishing scams for October 2020

In our latest round-up of phishing scams, we look at how and why the rise in remote working has made us more susceptible to fraud.

We also explain why you should be careful if you receive an email telling you to complete a staff awareness training course, and discuss a new SMS scam that offers you an iPhone 12.

Working from home increases the threat of phishing

Organisations believe that their employees are at greater risk of phishing scams while working from home, according to a new report.

Cyber security firm Tessian found that 57% of employees are more reliant on email to communicate with colleagues when working remotely than they were in the office.

This makes sense, because staff no longer have the option of talking to each other at their desks, and many organisations don’t have an instant message client to help employees stay in touch.

As such, there are more emails going back and forth, creating a variety of threats. For a start, it’s easier for a cyber criminal to mimic a colleague, as people in your team are now more likely to email you a request, an attachment or a link rather than simply telling you in person

Also, an influx of emails might overwhelm employees and make them more complacent. With so many messages to get through, they may fail to notice when something seems suspicious.

According to Tessian, organisations are right to be concerned, with phishing attacks between March and July 2020 increasing by 27% compared the previous five months. Meanwhile, ransomware delivered through phishing increased by 30% and smishing (text message scams) increased by 29%.

Unfortunately, organisations don’t have much choice when it comes to employees working remotely. The UK government is again advising employees to work from home where possible, so these risks will remain for the foreseeable future.

It’s therefore more important than ever to teach staff about the threat of phishing and to provide staff awareness training.

The good news is that 58% of respondents said they intend to introduce more security training, but as our next story demonstrates, organisations and employees must be careful about how they do this.

Employees tricked by staff awareness scam

Researchers at Cofense have discovered a phishing scam purporting to be a staff awareness course.

The scam is perfectly timed, as organisations across the globe ramp up their training efforts in order to protect themselves from phishing.

The email claims to be from cyber security training provider KnowBe4, and states that the recipient must complete the course within the next day.

It adds that the training course isn’t available on the staff portal, instead linking to an address that closely resembles KnowBe4’s – except there is a full stop between the ‘be’ and the ‘4’.

Those familiar with phishing will probably pick up on that, or perhaps a few of the grammatical inconsistencies that are tell-tale signs of a phishing email.

Unfortunately, those who are most in need of staff awareness training are the ones most likely to fall for the scam.

Apple chatbot message proves that SMS scams are still a threat

You might have thought that the declining use of text messaging – as we rely more on instant messages and email – would spell the end of SMS scams, but as cyber security researcher Paul Ducklin recently demonstrated, this is far from the case.

He explained that the formatting and character limits on texts make it easier for cyber criminals to avoid the grammatical and stylistic errors that might otherwise thwart their attempts.

Likewise, businesses that send SMS messages often use URL shorteners to save space, which provides cyber criminals the perfect opportunity to hide malicious links.

He demonstrates how this works with a scam message that offers recipients a free iPhone:

Clicking the link redirects you to your browser, and you have to be eagle-eyed to notice that the destination differs from the link, because the URL disappears as soon as you start scrolling.

But even if you can’t rely on spotting grammatical errors or bogus links, the biggest giveaway when it comes to scams remains true: if it seems too good to be true, it probably is.

If you receive a text message saying you’ve won a new phone or some other prize, you should always be sceptical. These kinds of messages are rarely genuine, so it’s essential that you take the time to look for anything suspicious.

Can you spot a scam?

Make sure your staff know how to identify and avoid scams with our Phishing Staff Awareness E-Learning Course.

This 45-minute course uses examples like the ones above to explain how phishing works, what to look out for and the steps you should take to avoid falling victim.