The targets of phishing attacks
Just like phishing methods vary, so too do the potential targets.
Businesses of all sizes, from the largest S&P titan to the smallest “mom-and-pop” shop, are at risk. Phishing attacks can impact senior business leaders and high-net-worth individuals, but they can also harm ordinary people too. And that’s because no matter who you are, your job, or your financial status, your data has value.
Ultimately, people who participate in phishing attacks are opportunists. They go after whatever will bring them the biggest returns. And so, some targets are more tantalizing than others.
In the period between January 2021 and March 2022, Americans lost over $1 billion to cryptocurrency-related fraud according to official FTC statistics. Business and government impersonation scams accounted for $133 million of these losses. Romance scams were responsible for a further $185 million.
Reliable data is hard to find, but the use of phishing in cryptocurrency scams is a well-documented phenomenon. And it’s easy to understand why.
For a malicious actor, cryptocurrencies offer several major advantages. Transactions are, by their very nature, irrevocable. Unlike credit card transactions, there’s no chargeback mechanism for Bitcoin.
And, since cryptocurrencies are largely decentralized and deregulated, an attacker can easily transfer their funds across borders and jurisdictions. Although the blockchain allows an external observer to track the flow of transactions, malicious actors have tools and tactics to obfuscate the direction of funds, from tumblers to “privacy coins” like ZCash and Monero.
Whaling is a subset of spear phishing. What sets it apart is the fact that its targets are high-value individuals, or senior figures within an organization.
For an attacker, a “whale” is a highly lucrative target, and so they’ll spend time crafting a phishing email that’s most likely to resonate. Whaling emails are even more customized than a standard spear phishing email.
According to the UK’s National Cyber Security Centre (NCSC), they’ll include “personalized information about the targeted organization or individual,” convey a sense of urgency, and use the language and tone of a business email.
As with other phishing emails, the goal is to induce the victim into performing a secondary action. These could include providing sensitive information, installing a piece of malware, or transferring funds.
In a growing number of cases, the attacker will phone the victim after sending the whaling email. According to the NCSC, these calls are used to confirm receipt of the email, and to reinforce the credibility of the message.
The term “catphishing” is a portmanteau of “catfish” and phishing. Catfish is a slang term for someone who engages in a romantic relationship with another online while also misrepresenting their identity.
Catphishing scams occur primarily on social networking and dating websites. An attacker will create a fake profile with the aim of luring a victim into a fake relationship with the goal of exploiting them for money or personal data.
The motivations behind a catphishing scam vary. As Panda Security notes, an attacker may wish to financially exploit their victim, obtain personal information that could prove useful in other crimes, like fraud or identity theft, or simply seek to obtain their photos and personal information in order to conduct further catphishing attacks. Catphishing falls into the broader category of romance scams, which cost US victims at least $1.3 billion in 2022 alone, according to the US Federal Trade Commission. Law enforcement agencies received almost 70,000 reports of romance scam crimes, with the median reported loss being $4,400.
Although tax season can inspire feelings of dread among workers and businesses alike, it can prove a highly lucrative time for online fraudsters.
During the 2023 tax season, the IRS warned tax professionals and businesses to be wary of spear phishing attempts, particularly those centered on Form W-2. This document, produced yearly for each employee, provides the IRS with a breakdown of taxes withheld and wages paid by the employer. Identity thieves can use these to file fraudulent tax returns on behalf of the employee and obtain refunds.
It also urged consumers to remain vigilant of emails and texts purporting to come from the IRS, particularly those that mention a tax refund or a potential tax issue. These phishing attempts — which IRS Commissioner Darry Werfel described as “relentless” — are almost always fraudulent, with the agency choosing to communicate with individuals via postal mail.
Some of the most impersonated brands in phishing emails are workplace tools: like Microsoft (and particularly Microsoft Office 365), Zoom, and ADP. These applications inevitably contain sensitive information, from proprietary business records and intellectual property, to payroll information and tax documents.
Phishing threatens everyone, but some industries and job roles are more likely to be targets than others. According to 2022 data from Egress, finance and IT teams are the most likely company departments to be targeted by phishing emails.
Data from Q1 2022 shows the healthcare sector as the most common target of phishing attacks. Technology businesses were close behind, with the software-as-a-service (SaaS) , e-commerce, social media, and cryptocurrency sectors accounting for the rest of the top-five targets.
Even if your organization doesn’t operate in these sectors, you should still be vigilant. Research from Egress shows that 84% of organizations were victims of phishing in 2022. Whoever you are, your data and your relationships have value to an attacker.
Public sector organizations and corporations are frequently the target of phishing attacks, purely because — on a financial basis — they’re often the most rewarding. But individuals shouldn’t let their guard down.
While you might not be a large NASDAQ or S&P business, your information holds value to a malicious actor.
An attacker may wish to gain access to your online streaming TV subscriptions — like Netflix or Hulu — to resell them for a profit. Your email and social media accounts could be used to conduct further phishing attacks against your friends, family, colleagues, and employer. And, with access to your financial applications, an attacker can steal your funds or submit fraudulent tax returns on your behalf.
And so, it’s important you never let your guard down — both at work, and in your private life.
Recruitment scams are an increasingly common tactic that exploits a person’s desperation to find a job.
Here, an attacker impersonates a recruitment agent or HR worker and, using email or a business social networking site like LinkedIn,
reaches out to someone looking for a new role. The candidate will likely provide their resume. This can be used for further phishing attempts, or as a means to plant an “insider” at an organization, as documented with certain state-sponsored actors.
The attacker may also try to use the promise of employment as a means to extract money from the victim, or to induce them into performing actions that are otherwise harmful or malicious. In one example reported by Sky News, a victim was told to pay out-of-pocket for a training course and a “burner” phone. His job then saw the victim try to recruit others into the same scheme.
