Friday Phish Fry

Phishing Email Alerts

Catch of the Day:  LinkedIn Phishing Sim

Chef’s Special:  Zoom Phish

Examples of clever phish that made it past my spam filters and into my Inbox, or from clients, or reliable sources on the Internet.

I would be delighted to accept suspicious phishing examples from you.  Please forward your email to phish@wyzguys.com.

My intention is to provide a warning, examples of current phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your own inbox.  If the pictures are too small or extend off the page, double-clicking on them will open them up in a photo viewer app.

LinkedIn Phishing Simulation

Here is another phishing simulation from my employer, Infosec.  The links redirect to a training page.

How Many Phishing Sites? A Whopping 2 Million in 2020 So Far

Google has flagged 2.02 million phishing sites since the beginning of the year, averaging forty-six thousand sites per week, according to researchers at Atlas VPN. The researchers note that the number of phishing sites peaked at the start of the year, which correlates with the start of the pandemic.

“Data also reveals that in the first half of 2020, there were two huge spikes in malicious websites, reaching over 58 thousand detections per week at the peaks,” the researchers write. “The second half of the year seems more stable, which is not a positive thing, as there are around 45 thousand new copy-cat websites registered every seven days.”

Atlas VPN says the number of new phishing sites has been steadily increasing each year since 2015, but it’s now higher than it’s ever been. Google and other companies do a good job of tracking down malicious sites, but attackers can easily scale their operations and set up new sites to stay ahead of efforts to shut them down. New-school security awareness training enables your employees to spot these sites on their own.

Full Post with links:
https://blog.knowbe4.com/how-many-phishing-sites-over-2-million-in-2020-so-far

Warn Your Employees About New Zoom Phishing Attacks

From KnowBe4 – Zoom-themed phishing attacks have spiked since the start of the pandemic. We are seeing both Zoom and Teams-themed criminal campaigns. Attackers adapted quickly earlier this year when a large portion of workers began operating remotely, and the phishers still are improving their lures to exploit your organizations’ dependence on video-conferencing platforms.

Scammers registered more than 2,449 Zoom-related domains from late April to early May this year alone. Con artists use these domain names, which include the word ‘Zoom,’ or ‘Teams’ to send phishing attacks that look like they are coming from the official video conferencing services.

This finding isn’t surprising, since attackers always update their phishing lures to take advantage of ongoing trends and events. The BBB says users can defend themselves against new variations of phishing lures and suggest a few security best practices.

I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:

“There are new Zoom (and Microsoft Teams) phishing attacks you need to watch out for. The Better Business Bureau has three great tips.

“Out of the blue, you receive an email, text, or social media message that includes Zoom’s logo and a message saying something like, ‘Your Zoom account has been suspended. Click here to reactivate.’ or ‘You missed a meeting, click here to see the details and reschedule,’”

“You might even receive a message welcoming you to the platform and requesting you click on a link to activate your account”. the BBB warned:

  • “Double check the sender’s information. Zoom.com and Zoom.us are the only official domains for Zoom. If an email comes from a similar looking domain that doesn’t quite match the official domain name, it’s probably a scam.
  • “Never click on links in unsolicited emails. Phishing scams always involve getting an unsuspecting individual to click on a link or file sent in an email that will download dangerous malware onto their computer. If you get an unsolicited email and you aren’t sure who it really came from, never click on any links, files, or images it may contain.
  • “Resolve issues directly. If you receive an email stating there is a problem with your account and you aren’t sure if it is legitimate, contact the company directly. Go to the official website by typing the name in your browser and find the ‘Contact Support’ feature to get help.”

Remember: Think Before You Click.” It is more important than ever these days.”

 

Be Sociable, Share!

11
DEC
0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.