5 baits used in phishing scams to lure you

Updated at: Dec 04, 2020
By Gatefy

Phishing hooks.

Everyone who knows a little bit more about cybersecurity knows that phishing is one of the top threats on the internet. As the name suggests, phishing is a type of scam that tries to get information and data by tricking the victim with fake emails, messages, websites, and calls.

That’s why you need to be careful with messages and emails with requests for paying bills or updating information. 

Phishing itself is dangerous, but, when combined with social engineering, it becomes even more potentially devastating. Social engineering is a tactic that allows crooks to use information from the victim to commit fraud.

Basically, the attacker scours the internet, including social networks like Facebook, LinkedIn, and Twitter, in search of information so that the scam is more likely to succeed.

From the alliance between phishing and social engineering was born spear phishing. Unlike phishing which is a massive attack, spear phishing is a targeted scam, with a specific focus on a person, a group, or even a company. I

n this sense, social engineering enhances the phisher's attack, allowing him to manipulate victims more easily.

We know that it's not always easy to recognize an attack. But education about threats and their functioning (the so-called security awareness) is still one of the most effective forms of defense. The more knowledge, the better.

Following this idea, we’ve created a list of the 5 common types of baits that phishers use in emails and messages to lure you.

Examples of baits used by phishing to trick you

1. Email and website spoofing

Email spoofing happens when cybercriminals use a hacked email account or a similar email address to the original one in order to deceive their victims. Imagine that an employee had the email account compromised, and now the attacker is sending emails to partners requesting wire transfers.

Website spoofing is similar and widely used in phishing and spear phishing scams. It happens when the attacker creates fake websites with the goal of gaining the victims' trust to steal important data and information.

Website spoofing is often tied to email spoofing, as many criminals send emails with links to fake websites.

2. Malicious links and attachments

Two baits heavily used by phishers are attachments and malicious links. Remember the Sony Pictures data breach, in 2014?

It appears that hackers have had access to the company's system using malicious links and emails apparently sent by Apple.

3. Urgent subjects and text lures

Urgent subjects and elaborate texts are other baits much used by phishers. In the case of the Nigerian fraud, for example, the criminal tells a convincing and false story that can end up with you having financial losses.

When it comes to fraud involving bank names, you may receive an email with an urgent matter stating that you need to change your banking credentials for security reasons.

4. Identity forgery

In this type of bait, the attacker takes advantage of someone the victim trusts to apply the scam. Being sent from a “trusted” person, the chances of success are bigger, right?

Let's take the case of RSA, a security company, in 2011, as an example. The company was hacked because employees interacted with emails from someone seemingly close. The subject was something like "Recruitment Plan."

5. Critical and timely subjects

A bait widely used in phishing attacks are subjects that impact society in general and attract a lot of attention. Several cases of scams, involving phishing and malware, have been reported during the pandemic caused by COVID-19, for example. FBI and Europol issued warnings about it.

Election years also generate concern and attention. Unfortunately, critical and global subjects create opportunities for scammers to attack and deceive more people through false information and malicious links and attachments.

Conclusion

Remember: scammers often use more than just one bait. Depending on the fraud level, all 5 baits may be used, even if spread through different moments of the conversation.

When it comes to phishing and spear phishing attacks, the best tip is always to try to confirm a suspicious request, preferably over the phone or in person.

For those who want more protection, especially companies, a Secure Email Gateway (SEG), with anti-phishing, anti-spam, anti-malware, and other security mechanisms, may be a good start.

You can also invest in DMARC authentication to strengthen your company's protection against different types of attacks, such as phishing.

In addition, you need to invest in security awareness. As we've said, the more knowledge, the better.