Phishing Scams Weaponize Common Apps to Fool Users
From false PDFs to false customer support calls and malicious advertisements, phishing scams use urgency and trust to pilfer personal information.
Phishing Scams Weaponize Common Apps to Fool Users
From false PDFs to false customer support calls and malicious advertisements, phishing scams use urgency and trust to pilfer personal information. Here are some of the most noteworthy phishing campaigns of Q3, with actionable advice to remain secure and aware online. Hidden Threats Behind Innocent Files Because PDFs are so pervasive and because PDFs are ‘tamper-proof’ in appearance, users have developed an assumption that PDFs are all safe. Cybercriminals take advantage of this misplaced trust to disseminate malicious content that is typically presented as invoices, receipts, or CAPTCHA tests.
The attackers launch the attack by sending an email with a PDF attachment. The email appears to originate from a reputable brand like Microsoft, DocuSign, or PayPal. The email subject line appears as urgent, alerting the victim to an alleged problem with their account. The PDF attachment contains official logos and professional styling, looking authentic. The victim is instructed to call a customer service number to resolve the issue or verify a transaction. When the victim calls, the agent impersonator tries to entice the victim to divulge sensitive information or unknowingly install malware on their machine. Voice Calls Leading to Hijacked Accounts Cyberthieves are using vishing (voice phishing), where attackers make use of phone calls, including those made via messaging apps like WhatsApp, to deceive the user into betraying sensitive information. Most of the time, the attack starts the same way for almost everybody, where the user is called by a computerized voice, typically from a foreign number. The voice instructs the potential victim to add a specific phone number to their WhatsApp contacts. The call then ends without further instructions. If a user goes through the trouble of adding the phone number to their contact list, the attacker will know the victim is likely susceptible to fall for the scam. The scammer might send messages pretending to be official WhatsApp support or a trusted organization. They ask the victim for their verification code using false pretenses. This eventually gives the scammers access to the victim’s account and locks the victim out. Fake Security Alerts Triggering Real Threats A text message scam in circulation uses panic as a tool to bypass rational decision-making. You might see a message that looks like a security warning, maybe about someone trying to log into your email or social media account. It usually comes with a multi-factor authentication (MFA) code and a number to call. At first glance, it might appear like a genuine alert from a trusted provider. If you dial it, you will be speaking directly to a scammer who may try to convince you to share sensitive information like your username, password or verification codes. The purpose being an account takeover attack, identity theft, or obtaining access to financial data. Cyber Scams Powered by AI Voice Cloning AI voice cloning is quickly becoming more than a novelty and an imminent cybersecurity risk. The FBI recently issued a warning regarding an escalating threat campaign where cybercriminals are using fake text messages and AI voice impersonations of top-level U.S. officials. The messages are designed to establish trust with the recipient, eventually convincing them to authorize personal account access. No matter what the initial message may be, the spoofed “official” will then encourage the victim to switch to another messaging program. They’ll provide a URL that appears to take the victim to the new application. Upon clicking the link, the victim is compromised. The attacker gains the ability to use the connection to infiltrate wider networks, extract sensitive information, or hijack financial assets. Strategies To Mitigate Phishing Threats By combining strong technical defenses with people-focused strategies, phishing threats can be significantly reduced. Strengthen access controls: Apply two-factor authentication to strengthen defenses against unauthorized access, particularly on messaging applications and financial systems. Ensure the legitimacy of communications: Verify the legitimacy of messages, emails, and calls using official channels or reputable sources. Avoid relying on phone numbers provided in unverified or unsolicited communications. Implement human risk management: Adopt a proactive, data-driven approach focused on measuring behavioral vulnerabilities and driving secure behavior change through personalized, continuous training, fostering a strong security culture. Flag and block suspicious contacts: On platforms like WhatsApp, text and email, block unknown numbers and report suspicious messages to prevent future scams. Browse safely: Avoid clicking on ads or links that offer unrealistic bargains. Rather, type into your browser directly. Protect login details: Reputable organizations will never request passwords or credentials via phone or text. As a final note, conduct phishing simulations that will evaluate a user’s ability to identify a phishing attempt or social engineering tactic and merge those results with data analytics to help evaluate personal risk levels. Measuring how prone an individual is to scams can allow the organization to target support where it is most needed.
About Author
