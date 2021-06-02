The odds that you will be a target of a phishing attack are high, but whether or not you will be a victim is largely within your control. Here, we’ll take a look at the factors that affect your vulnerability and review another prevalent attack to help you identify a phishy email campaign and avoid becoming a victim.
In a 2020 study, Google researchers measured 1.2 billion email-based phishing and malware attacks against Gmail users to understand what factors place a person at heightened risk of attack. During the study, Google found that attackers targeted, on average, 17 million users every week with hundreds of thousands of campaigns that lasted just a single day.
Geography, a factor that is out of our control, played a large role. Users in the United States are the most popular targets, accounting for 42% of attacks. A target’s age was also a factor, as the odds of experiencing an attack was 1.64 times higher for 55- to 64-year-olds, compared to 18- to 24-year-olds.
Again, age is out of our control, but the researchers posed an alternative reason why this was the case. While it is possible that attackers specifically target older users because of their reported higher susceptibility to deception and coercion, older users may have larger online footprints, thus making discovery of their accounts easier, the researchers said — a more palatable reason and one that rings true in my view after hearing from many readers here who are acutely tuned to online security.
A third significant factor was having your email address or other personal details exposed in a data breach. This makes a user five times more likely to be targeted, and frankly, there’s not a lot you can do about this one other than minimizing the number of accounts you have with companies. It is always a good idea to reduce your online footprint, but these days, it’s virtually impossible to avoid sharing your email and other details with the entities you do business with.
With the volume of phishing schemes out there, it’s no surprise that cybercriminals are continually looking for new ways to hook you into giving up sensitive information or getting you to download malware onto your device to gain access to your accounts. A recently detected scheme uses a fake call center to trick people into installing malware on their Windows PC.
The bait in this phishing scheme is an email that says you’ve subscribed to a free trial of a movie streaming service and will soon be charged $39.99 a month, which is alarming because you know you did not ... or did you? Curious targets may investigate by visiting the sender site BravoMovies. The website looks convincing with fake movie posters. The email directs recipients to call a number to cancel their subscriptions. Cybercriminals posing as customer service staff are waiting on the other end of the line. When calls come in, they guide the would-be victims into downloading malware called BazaLoader that is typically used for ransomware attacks. In this case, it is a spreadsheet to download from their Subscription page.
BazaLoader creates a backdoor in Windows PCs that can then be used to initiate an attack at a later date. That illustrates an interesting thing about ransomware attacks, which hijack control of your machine and demand money from you to release it. You have to first allow a piece of malicious software to be installed on your computer before an attack can occur. The lesson here is never to download anything to your computer, particularly in a scenario such as this one.
The BravoMovies scheme is compelling because it creates a sense of urgency around your credit card being charged for something you did not purchase. This is a common ploy. Just last week, I received a phishing email in my “protected” work Outlook account. The preview of the email was alarming: It said, “Thank you for purchasing Norton Security” and included a receipt for $499.99. A phone number was provided to cancel the subscription.
If you familiarize yourself with common phishing scheme formulas like the one mentioned here, which can be boiled down to 1) a fake subscription, 2) a pending charge or charge already applied to your account and 3) a number to call to cancel, you can quickly identify them and avoid becoming a victim.