Posted on August 27, 2020 at 6:13 PM
So far, 2020 has been quite an eventful year. The year had a number of unfortunate events, protests around the world, and of course, a global pandemic that affected pretty much every sphere of life.
This had massive effects on the online world, as well. While the COVID-19 disease is not transmittable via the internet, it did result in people around the world spending a lot more time at home. This led to their greater and stronger internet presence, and it also left them vulnerable for scammers and hackers, most of which still prefer to utilize phishing attacks.
And, with coronavirus fears in the air, they also came up with plenty of new strategies, stories, and more — all to convince victims to make a wrong move and click where they shouldn’t.
So, with that in mind, let us share some of the biggest phishing scams that are relevant in 2020, and help you learn what to watch out for.
Biggest phishing scams of 2020
1) Martin Lweis ads
The first on the list is a scam that has been coming and going throughout the year, and it revolves around Martin Lewis, a UK-based journalist and television presenter.
As a very well-known individual, Lewis has been a popular way for scammers to contact people and try to trick them. Several times this year, scammers were reportedly using his name and face in their online ads, in attempts to draw people into their get-rich-quick schemes.
Not only were these ads fake, but they made quite a commotion after appearing on genuine websites. They made horrific statements, such as that Martin had died, trying to cause shock and make people click on the ad in order to see what is going on.
Martin is, fortunately, alive and well. However, one thing that he is not, is being into this kind of advertising. Neither he nor MSE are taking part in these ads, and they are all fake, so if you see any advertisement including Bitcoin that references Martin Lewis, beware.
2) Texts from “the government”
Back in March of this year, when COVID-19 started spreading around the world, multiple scammers started contacting people via text messages, presenting themselves as the government.
According to warnings that were published by the UK Finance, and Communications regulator, Ofcom, the scammers are promising relief payouts, as well as fines for people who left their homes.
UK Finance warned people that such messages are not genuine and that they should not trust them. In fact, they should not even try and click on the links delivered within.
In some cases, scammers requested that people post their postcode or similar details in order to apply for the COVID-19 relief payouts. In others, messages that people received claimed that they got money as part of the battle against COVID, providing a link for the victim to click in order to claim it.
Finally, the UK Finance also warned that some of the criminals were, reportedly, using a spoofing technique, which could make fake messages appear in a chain of similar, genuine, messages that were previously delivered by genuine organizations and the government.
3) Twitter spear phishing
The most common way to conduct phishing attacks is via email, and, according to data from Action Fraud, these scams were, indeed, the most common.
Email phishing scams can go from completely obvious to very convincing rather quickly, and a lot of it depends on the victim and their knowledge of online risks and dangers. If the victim is not familiar with these threats, they could easily get tricked even by bad scams, while those who know what to look for can stay safe even if targeted by professionals.
More often than not, scammers use spear-phishing attacks to target employees of a specific company or some other group. They contact these individuals with various fake stories in attempts to steal gain access to their system, often via malware.
But, even now, in 2020, most people are unaware of the danger, as companies fail to educate them in time,
In the case involving Twitter, spear phishing is what eventually led to the hack of the platform’s most visible accounts in mid-July, which then led to a Bitcoin scam that tricked a lot of people.
4) COVID-19 phishing via email
While the hackers tried to replicate the governments’ main method of communication, which is via texts, plenty of them have made attempts to target users via email. With coronavirus being the main topic of the year, they used it to try and trick people throughout the year.
A lot of these attacks closely resemble the so-called ‘Nigerian prince’ scheme. As a quick reminder, this scheme revolved around the scammers sending emails to entire lists of emails, claiming to be a Nigerian prince who needs help in withdrawing their funds. In return for the victim’s help, the ‘prince’ was willing to pay them massive sums of money.
Of course, it is all a lie, and with COVID-19 still raging around, similar attempts with some amount of variation emerged. For example, ‘dying millionaires’ ended up popping all over the internet. They started offering rewards for those who help them withdraw funds, allegedly for humanitarian purposes.
There were also mentions of miracle vaccines that could save lives, and much more. Many of COVID-19 schemes started emerging as early as in January of this year, but the trend really kicked off in March, after the virus went global.
5) Coronavirus spear phishing
According to researchers from Barracuda Sentinel, spear-phishing attacks featuring COVID-19 started early this year, but the real spike started in late February and early March. At this time, the number of attacks went up by 667%.
The trend continued, and Barracuda researchers noticed around 467,825 spear-phishing attacks that targeted people via email between March 1st and March 23rd. They also added that around 9,116 of them were related to COVID-19 in some way, which is around 2% of the total amount.
This is a massive increase from 137 coronavirus-related attacks that took place in January, or 1,188 of them from February. COVID-19-related spear-phishing attacks were still the minority when compared to other trends, but one that quickly kept growing, and this growth continued in months that followed.
Out of 9.116 attacks in March, Barracuda Sentinel detected around 54% of them that were scams, offering miracle cures, fake charities, and ‘dying millionaire’ scenarios mentioned before. 11% were blackmails, and 34% were brand impersonations. Only 1% included business email compromise attacks.
6) Voice Phishing for VPN login credentials
This is a type of phishing attack, popularly called vishing. that was recently reported to have spiked by quite a bit.
Due to the coronavirus situation, many businesses ended up closed for the time being, while there is also a high number of those that were permanently shut down. On the other hand, everyone business whose nature had allowed it, had figured out a way for their workers to work remotely.
But, in order to do that, they needed safe access to the companies’ resources, and the safest way for that was to use a corporate VPN. Scammers know this, which is why they started bombarding remote workers with phone calls, presenting themselves as IT members, claiming that there is a problem with a VPN, and that the victim needs to provide their login credentials for them to remove the problem.
Scammers would even create LinkedIn accounts for people they were posing as, just for the sake of adding to the legitimacy of it all. They also made fake pages that resembled those that users needed to go to in order to log into their company’s VPN. Such pages were delivered via links and emails, and as soon as someone tried to log in, the scammers would have their login data for themselves.
7) Phishing via brand names
Of course, phishing via brand names has always been, and likely always will be, one of the most popular forms of phishing attacks. Every year, firms like Apple, Google, Netflix, and many others spend millions trying to build trust and have their brand tied to positive messages.
However, hackers and scammers tend to use this trust in order to scam people and get some of their money for themselves. Targeting firms is too difficult and dangerous for online criminals. Their customers, on the other hand, are easy to trick and rob of their hard-earned money.
Most of the attacks come as phishing emails, and in many cases, they end up being something significantly more troubling. Sometimes, it is malware that will infect the victims’ computers in order to withdraw information. In other cases, it is ransomware, keyloggers, or crypto-mining malware.
Some of the most used brands include Apple, Netflix, Yahoo, WhatsApp, PayPal, Chase, Facebook, Microsoft, eBay, Amazon, and others. So, while the goal is not to make you wary of emails received from these firms, you should still be careful whenever such an email arrives, and ensure that its senders are who they claim to be.
8) Mobile phishing (smishing) via the brand name
Similarly to how scammers used mobile devices to send fake messages while trying to impersonate the government, they could also use brand names to try and trick you via SMS. In these situations, they might try to impersonate brand names, as well.
These attacks are pretty straightforward in most cases. You would simply receive a message that claims to be from Netflix, or some other company, but it comes from an unknown number. The message would contain some sort of warning, such as the ‘fact’ that your account has been locked for some random reason.
They would also conveniently include a link that you are expected to click, and that would take you to a page either filled with malware, or a copy of a login page for the brand that scammers represent themselves as. And, as always, if you were to try and log in, they would get your login credentials immediately, and then go to the legitimate site or app and connect to it, themselves.
Netflix is one of the most popular brands used in this type of attack, but scammers were also known to use Apple’s name, as well as that of WhatsApp or Chase.
9) Fake WHO emails
With COVID-19 being the biggest and the baddest in 2020, the number of phishing attacks related to it has been rather high, as noted previously. This time, however, the attackers might try to impersonate the World Health Organization (WHO).
They would target a list of users via email, where they would send fake newsletters that offered tips for protection from COVID. However, the tips would not be in the email itself. Instead, the email would contain a link to a fake WHO website, where users were expected to go and try to log in.
The goal of these attacks was for online criminals to steal login credentials for the real WHO sites. However, later on, scammers also started asking for phone numbers simply by implementing a new field for you to fill in in their fake sites.
Meanwhile, most — if not all — documents listed on these fake WHO sites were infected with malware which would infect the victim’s device as soon as they downloaded it. The documents themselves were made to look as COVID tips, which is why people were usually quick to download them and open them up without thinking of potential dangers.
10) Data leak compensation
US-based companies that are careless enough to let their customers’ data leak are not treated with much love in regulatory circles. One example of this was seen last year, when Facebook got a $5 billion penalty for leaking data.
However, this money was never meant to go to users whose data was actually exposed. Instead, the government simply claimed it for itself. But, most people are not aware of how these things work, which is why scammers started contacting the victims, claiming to be members of a made-up Personal Data Protection Fund.
They would provide users with links that would ‘help them’ discover if their data was stolen. The answer would always be yes, regardless of what information the user types in. But, the more important part was that users were promised compensation.
Hackers did not bother to only target US citizens — everyone was fair game for them. They only tried to get the users’ details, such as first and last name, social network accounts, phone numbers, and more. They also promised payments for those who share their SSN, while those who may not have it had a box that says “I’am dont have SSN,” once again indicating that bad grammar can easily help with recognizing these scams.
Those who were without an SSN were also invited to rent one for $9. Interestingly enough, even people who did have their SSN were offered this, which basically meant that they would have two of them. The scam was clearly not very sophisticated, but most people tend to overlook such nonsensical details when they are promised money.
The final step was arriving at a payment page where the users would get the amount and currency that they are ‘supposed to receive,’ based on their location.
With that, we would end our list of the biggest and most common scams in 2020. These are all mostly on-going attempts to trick people, so be on the lookout for anything resembling such suspicious activities. Don’t get fooled by offers to give you money, and always check their story, details, and more.
Chances are that, most of the time, these will be scams that are after taking your money, instead of giving it to you for free.