{"id":108247,"date":"2022-12-06T10:00:01","date_gmt":"2022-12-06T10:00:01","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=108247"},"modified":"2022-12-06T09:18:33","modified_gmt":"2022-12-06T09:18:33","slug":"phishing-scam-techniques-tricks","status":"publish","type":"post","link":"https:\/\/securelist.com\/phishing-scam-techniques-tricks\/108247\/","title":{"rendered":"Main phishing and scamming trends and techniques"},"content":{"rendered":"

There are two main types of online fraud aimed at stealing user data and money: phishing and scams. Phishers<\/strong> primarily seek to extract confidential information from victims, such as credentials or bank card details, while scammers<\/strong> deploy social engineering to persuade targets to transfer money on their own accord.<\/p>\n

The history of scams and phishing<\/h2>\n

The term “phishing” was coined back in 1996, when cybercriminals attacked users of America Online (AOL), the largest internet provider at that time. Posing as AOL employees, the scammers sent messages asking users to verify their accounts or asking for payment details. This method of phishing for personal data is still in use today, because, unfortunately, it continues to yield results.<\/p>\n

Also in the 1990s, the first online scams appeared. When banks began to roll out internet banking, scammers sent text messages to users supposedly from relatives with an urgent request to transfer money to the details given in the message.<\/p>\n

By the early 2000s, charity had become a common scam topic: for example, after the massive Indian Ocean earthquake and tsunami of 2004, users received messages from fake charities pleading for donations. At around the same time, phishers started targeting online payment systems and internet banks. Since user accounts in those days were protected only by a password, it was enough for attackers to phish out this information to gain access to victims’ money. To do this, they sent e-mails in the name of companies such as PayPal, asking users to go to a fake site displaying the corporate logo and enter their credentials. To make their sites look more credible, cybercriminals registered multiple domains all very similar to the original, differing by just two or three letters. An inattentive user could easily mistake a fake for a genuine bank or payment system website. In addition, scammers often used personal information from victims’ own social media pages to make their attacks more targeted, and thus more successful.<\/p>\n

As time progressed, online fraud became ever more sophisticated and persuasive. Cybercriminals learned how to successfully mimic the official websites of brands, making them almost indistinguishable from the original, and to find new ways to approach victims. There appeared services specializing in creating fake content, at which point phishing really took off. Now not only the personal data and finances of ordinary users were in the firing line, but politicians and big business as well.<\/p>\n

This report examines the main phishing trends, methods, and techniques that are live in 2022.<\/p>\n

Phishing and scams: current types of fraud<\/h2>\n

Phishing:<\/h3>\n

Phishers can target credentials in absolutely any online service: banks, social networks, government portals, online stores, mail services, delivery companies, etc. But it is customers of top brands that are most often at risk, because people use and trust them more than smaller brands, increasing the likelihood of a successful attack.<\/p>\n

To extract the coveted information, cybercriminals try to persuade victims that they are logging in on the real website of the respective company or service, or that they are sharing their credentials with a company employee. Often, fake sites look no different from the original, and even an experienced user might be fooled. Phishers skillfully copy the layout and design of official sites, adding extra details to their pages, such as live chat support (usually inactive), and linking to real services to inspire confidence.<\/p>\n

<\/a><\/p>\n

Phishing site with chat support<\/em><\/p>\n

Recently, alongside online phishing, vishing<\/strong> (voice phishing) has been on the rise. Scammers either call victims directly, or employ various tricks to get them to make the call, after which they attempt to extract their personal data and money over the phone.<\/p>\n

<\/a><\/p>\n

Fake message about Windows-related issues in connection with which the victim must call the scammers<\/em><\/p>\n

Also current is targeted<\/strong> or spear phishing<\/strong>, which, as the name suggests, is aimed at a specific individual or organization. Spear-phishing e-mails and sites are far more personalized than bulk ones, making them very difficult to distinguish from genuine ones.<\/p>\n

Scams<\/h3>\n

While phishers target both businesses and ordinary internet users, scammers prey mostly on the latter. Most scams work by offering the victim an easy way to earn a chunk of money, or the chance to win a valuable prize or get something for free or at a huge discount. The main goal of this type of threat is to raise money, but scammers can also harvest the victim’s personal data to sell later or use in other schemes.<\/p>\n

In the screenshot below, for example, the victim is informed they have won a smartphone and asked to pay a small fee to have it delivered, as well as specify their e-mail address, date of birth, gender, phone number, and home address.<\/p>\n

<\/a><\/p>\n

Form for collecting personal data to send the bogus prize<\/em><\/p>\n

In most cases, scammers ask for this data to convince the victim that the prize will indeed be sent, and do not store it. However, some scammers may save all the information entered on their sites for the purpose of later sending malicious e-mails supposedly from victims, using their names and addresses.<\/p>\n

Besides promises of easy money and valuable prizes, scammers actively lure users to non-existent dating sites. For example, they might send an invitation to chat with other users, together with a link to a scam site and attractive photos. Once on the fake site, the user is told they can get premium access to the dating platform for next to nothing, but the offer expires today. They just need to sign up and pay a small fee.<\/p>\n

<\/a><\/p>\n

Offer to activate a premium account on a fake dating site<\/em><\/p>\n

There are other ways to attract victims to scam sites: by “selling” sought-after or scarce<\/a> goods, or trips with like-minded travelers, etc. In general, if something’s popular with users, fraudsters will use it as bait.<\/p>\n

Distribution<\/h2>\n

Although most scams and phishing attacks begin with mass e-mails containing links to fake websites, alternative attack vectors are gaining ground today. There are so many different communication and data sharing platforms that attackers can use to distribute phishing links.<\/p>\n

Messengers<\/h3>\n

One of the main vectors for phishing and scaming are messengers such as WhatsApp and Telegram.<\/p>\n

WhatsApp users might receive a fraudulent message from either the cybercriminals themselves or someone in their contact list. To spread their scams, attackers send messages in the name of popular brands or government agencies, but have no qualms about involving users too. In particular, to receive a gift promised in a message, they often get the victim to forward it to all or some of their contacts.<\/p>\n

<\/a><\/p>\n

Cybercriminals get the victim to forward a link to a fake giveaway to their WhatsApp contacts<\/em><\/p>\n

Recently, many channels have appeared on Telegram promising prizes or get-rich cryptocurrency investment schemes. The chats of popular Telegram channels are also home to scammers who, posing as ordinary users, post juicy money-making and other offers. For posting comments en masse, cybercriminals can use bots. To discover the secret of easy money, the user is invited to contact the scammers or go to their channel.<\/p>\n

<\/a><\/p>\n

Comment in a Telegram chat promoting a currency exchange scheme<\/em><\/p>\n

Social networks<\/h3>\n

Comments offering easy profits are also found on social networks, for example, under photos in popular accounts, where messages are more likely to be read than on a page with fewer followers. Cybercriminals invite users to follow a link in a profile header, send them a direct message, or join a secret group chat. A message can also contain a link to a phishing or scam site. Posts promising well-paid part-time work with a link to a mini app are also common on VK, the Russian equivalent of Facebook. In addition, cybercriminals can use social networks to send direct messages to users, promote their offers, or create fake accounts promising valuable gifts, in-game currency, and gift cards. These are hyped up through ads, hashtags, or mass tagging of users in posts, comments, or on photos.<\/p>\n

<\/a><\/p>\n

Instagram account “giving away” free smartphones<\/em><\/p>\n

Marketplaces<\/h3>\n

Marketplaces act as an intermediary between the user and the seller, to some extent ensuring the security of the transaction for both parties. But their functionality is open to abuse by scammers as well. A widespread scheme on Russian marketplaces<\/a> is when the seller appears reluctant to communicate on the site and tries to move the conversation to a third-party messenger where they can send a malicious link without fear of triggering the marketplace’s built-in defenses.<\/p>\n

Also on marketplaces, scammers often comment on other users’ reviews of products, assuring potential buyers that an item can be purchased for far less elsewhere, and attaching a link to a scam site.<\/p>\n

<\/a><\/p>\n

Scammers distribute links to fake sites through comments on product reviews on marketplaces<\/em><\/p>\n

Phishing and scam attack methods<\/h2>\n

To carry out attacks, cybercriminals employ a wide range of technical and psychological tricks to dupe as many users as possible while minimizing the risk of detection.<\/p>\n

Below are the main phishing and scam techniques used in 2022.<\/p>\n

Spoofing<\/h3>\n

To increase the victim’s trust in a fake resource, scammers often try to make it as similar as possible to the original. This technique is known as spoofing. In the context of website spoofing, there are two main types:<\/p>\n