CyberSmart(er): Phishing Scams Are Getting More Sophisticated. Here’s How to Outsmart Them.

Like any normal day, a Hillard, Ohio accounting assistant opened an email from one of the city’s vendors, requesting that the assistant update the vendor’s bank routing information on file with the city. The assistant complied with the request and made the city’s usual payment to the vendor on the next day for $218,992.06.

Only one problem: Both the email request and the updated routing information were not from the vendor at all; they were from a cybercriminal who had used a classic spear phishing attack to trick the city employee.

In recent years, phishing attacks like this one have become increasingly sophisticated and harder to detect while also growing in popularity. According to a recent CNBC report, the rate of phishing attacks increased 61% in the six months ending October 2022 compared to the previous year.

At the Plans, we have implemented many security controls and best practices, including multifactor authentication and strong information security policies, among other administrative and technical controls to protect the confidentiality, integrity and availability of your information. Additionally, our employees undergo rigorous cybersecurity training. Just as information security is a priority on our end, we want you to have the information you need to keep your data safe on yours.

As part of an ongoing CyberSmart(er) series, this article explores phishing (the most common method of cyberattack), its newest forms and what you can do to avoid cyberattacks.

The New Phishing Schemes

The classic phishing attack consists of a cybercriminal, pretending to be a legitimate individual or company, sending an email or text message that gets you to take an action—calling a number, clicking a link or opening an attachment—with the goal of stealing your personal data or installing malicious software onto your device. Cybercriminals can target you by using knowledge taken from various sources like the dark web or social media.

Historically, phishing attacks have been perpetrated mostly through a text message or email with a subject like “Password Check Required Immediately” to get you to take urgent action. However, in more recent attacks, criminals might use any form of communication or any tactic to commit their crimes.

For example, criminals might build trust with victims over multiple email exchanges before they ask you to take the action that compromises your data. In voice phishing attacks, criminals might make phone calls pretending to be a company’s support representative to convince you to log in to your account or provide them information to address an urgent account problem. Malicious URLs and phone numbers are often provided as part of the “fix” for the issue. Attackers are increasingly hijacking the names of trusted platforms like Microsoft, SharePoint, Amazon, Google, UPS and Adobe to enact their schemes.

On an even more sophisticated level, zombie phishing involves taking over an email sender’s account, then resuming a previous conversation with one of your contacts by responding to an old message with a malicious link. The recipient, recognizing both the sender and the conversation, might be more likely to think the email is legit and click the link. Scammers have also resorted to using abbreviated URLs like those created in Bitly because they might be harder to validate.

Protect Yourself from Phishing Attacks

Phishing attacks can greatly damage a victim’s personal and professional life. Here’s what you can do to protect yourself:

  • Hover over links without clicking on them to see if the actual destination address matches the address you intend to visit.
  • Review text messages and emails for spelling errors within subject lines, email addresses and URLs.
  • Beware of pop-up windows.
  • Never give out sensitive personal information over email or text message.
  • Closely inspect emails and text messages that ask you to take urgent action.
  • Do not share personal or professional information on social media platforms as it can be used to target you in a spear phishing attack.

For more online security tips, refer to the Department of Labor’s Online Security Tips available on the Plans’ website at www.dgaplans.org/DOLsecuritytips.