Phishing scams are all trick, no treat

It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe.

This October, we’re bringing you a twist on our weekly newsletter. Read along as we shine our flashlight into the darker, creepier corners of the online world. After all, it’s spooky season, and we all have the potential to be the heroes when it comes to safeguarding our data.

We’ve covered some pretty scary ground this month, including data brokers and hacking collectives. As Halloween looms, let’s end with the most pernicious — and ubiquitous — topics of all: online scams in general, and phishing scams in specific.

We have yet to encounter a journalist who doesn’t have a story of a text message that screamed “fraud” or an email that was obviously a fake. Nevertheless, these types of scams are still so successful that they account for 14% of entry points into cybersecurity breaches. In response to this, many employers — including media companies — have taken to issuing regular tests of their employees’ phishing awareness by sending fake phishing emails. This has not gone over well, and, moreover, hasn’t really moved the needle. It’s worth taking a look at what’s going on behind the scenes of a phishing attack to understand this gap, and to hopefully fill it.

Online scamming has become an industry. The scope and scale of the groups perpetuating phishing attacks and other forms of scams has ballooned since 2020. A lot of online fraud now originates from organizations whose hierarchies resemble corporations. Many of the people behind these scams are victims themselves, often held against their will after answering fake job ads for what appear to be legitimate positions. As a result, it’s not necessary anymore to be tech savvy; most scammers start by undergoing days and days of training.

And it is working — to the tune of $64 billion a year. While there have been recent efforts to crack down on online scams, money laundering schemes remain effective at making ill-gotten gains disappear without a trace.

New tools add a level of deceit. The proliferation of phishing and other scams comes at us from all sorts of angles — robocalls, text messages, you know the drill. Newer avenues for pulling off scams take advantage of common products like online calendars and Google forms. And AI has entered the chat: Generative AI is being used to fine-tune scammy messages, spin up spoof websites, and generate ransomware to deploy within organizations.

What you can do:

If you’re in charge of these things, consider whether employer-generated phishing emails are worth the effort if they only reduce the likelihood of successful phishing attacks by 2%. Research suggests that a better approach may be to set and maintain communications standards so that people notice when things are off, and hopefully report them.

For individuals, a few basic guidelines that will help keep you safe during these weird, scammy times:

• Avoid tapping links you don’t 100% trust. Simply open your web browser, type in the actual site’s address, and enter account credentials there
• Instead of following unsubscribe links in emails you didn’t personally subscribe to, set up filters and send those messages directly to trash
• Avoid replying to texts from numbers you don’t know. Resist giving any sign of life to the sender. Just report spam and delete
• Let calls go to voicemail, as any true millennial would. Call people back using a saved phone number you trust for that company, such as a number you find on a utility bill, bank statement, or another trustworthy source

Additional tips, including the best 2FA to use to help ward off phishing attacks, are available in our guide.

Reach out if you need us! We’re here to help you keep your world sane and horror-free.

Thanks again for reading! Until next time,

Davis

_

Davis Erin Anderson

Senior Digital Security Trainer

Freedom of the Press Foundation