Phishing in 2024: Don’t Get Caught Up in Nets

What is phishing? It is an attempt to steal one’s personal data such as payment card number, address, or login information. This can be achieved via emails, websites, or social media platforms. 

The scenario of the attack is identical almost every time. Thanks to that, it’s easy to spot it. But to do so, you must first know what the scenario actually looks like.

Rule number one is to remember that your bank and other institutions will never reach out to you for your personal and login information.

Table of contents:
What to Expect in the Phishing Waters in 2024
What Stinks in Fraudulent Messages
AI in the Hands of Scammers
Don’t Underestimate Prevention
Avoid Looking Like a Phisher in Your Email Campaigns
To Remember

What to Expect in the Phishing Waters in 2024

There are many types of phishing attacks. Here are the top ones you can expect in 2024.

Email phishing 

Email phishing is the oldest form of phishing. You can get messages multiple times a year or even a month in your inbox.

Usually, these are copies of original messages of actual companies and institutions. They are edited and include dangerous links.

What is typical for email phishing?

The website insists that you fill in your personal information. Usually, they want this from you based on some unexpected issue they found that must be resolved immediately with you taking action. The first step is clicking on a dangerous link they sent you.

The issues that phishers mention vary. However, the most used ones are payment not being processed, login issues, or your account not working properly.

Emails with infected content usually contain short URLs and grammatical mistakes. Sometimes, the text is not an actual text but the whole message is just a screenshot. You can spot this by zooming in and examining the pixels of the letters. In screenshots, they are of poor quality.

Beware of email attachments. They might be infected. These are usually with extensions such as .zip, .exe. and .scr.

Whaling 

Whaling is phishing targeted at C-suit. 

These attacks are quite difficult to detect because they look credible. There are almost no grammatical mistakes, the language is professional and the whole message makes sense.

What is typical for whaling?

Typos in the domains (besides gmail.com there is for example gmial.com). Scammers send you messages on your personal email, not your business one. This is very unusual for professional communication. Immediately, you should spot a red flag.

Spear phishing 

Spear phishing is targeted mainly at companies.

Scammers work with the information available on the internet and send group emails to whole teams. 

These attacks are not easy to uncover since at first sight they look like internal communication.

What is typical for spear phishing?

Your “co-worker” asks for information that they should be able to find in your internal company documents. Plus, they share with you links for shared folders that are not in your hub. Both should be a warning signal that something is not alright here.

SMS phishing 

So-called smishing. 

What is typical for SMS phishing?

Messages are from unknown numbers, sometimes from foreign countries. 

Again, phishing SMSs include a dangerous link that will lead you to a website where you should enter your personal information.

Voice phishing 

Also called vishing.

What is typical for voice phishing?

Scammers call you and pretend to be a worker of some institution (bank or even a state institution).

They want to scare you that some unexpected situation happened. This can be a payment not being processed, or some issues with your bank account.

Scammers will ask you to give them information they could use to steal money from your bank account - payment card number, PIN code. If this happens to you, immediately hang up. Your bank would never call you to discuss such a major security problem with you. Banks have their own tools to deal with serious issues and resolve these themselves.

Social media phishing 

Social media are heaven on earth for scammers. Why? Because they can find here information that is not available anywhere else on the internet. 

And since it’s easy to get in touch with the users, scammers are very active on social media platforms.

What is typical for social media phishing?

Chats don’t usually have a specific structure. Therefore, scammers just write a message and don’t have to stress about its design. 

Often, scammers present themselves as administrators. They warn you about violating the policies of the platform. Based on this they threaten to deactivate your profile. The only way you could save yourself is to click on the enclosed link or to contact the scammer immediately.

Besides such messages, they also send invitations to polls, fake videos, or requests to comment on their post. Fake discounts are also a widely used phishing tool.

Stealing accounts is also a popular technique. Scammer then makes some changes to the account (in the name usually) and then sends dangerous content to the profile’s contacts.

If you’re not sure whether the user who contacted you is a real person or a fake one, do this: check their profile info (name, bio, list of friends or followers), how many posts they have posted, and how long they’re active on the platform.

Fake profiles are created just with one purpose, and that is to steal. They are new, without much information, and with no or little activity. And their list of friends or followers is very short.

What Stinks in Fraudulent Messages

1. Urging to fill in your personal information (full name, payment card number, etc.).
2. Grammatical mistakes - the texts are usually translated with poor-quality CAT tools.
3. The sender’s phone number is of foreign origin.
4. Weird symbols are part of the message and are useless there ($, ~).
5. Suspicious URLs.
6. The offers seem to be too good to be true.

AI in the Hands of Scammers

Scammers are able to create more personalized content thanks to AI. Therefore, it is more difficult for a user to uncover if it’s actually a phishing attack.

How scammers use AI

1. Personalized content – AI tools can analyze a huge amount of data. Thanks to these, they’re able to create more personalized content. Emails generated with AI look more natural and professional than those created by the scammer themselves. 

2. Deepfake audio and video – Deepfake technology allows scammers to create quite believable audio and video files. It is even possible to imitate the voice of a real person in it. It’s expected that deepfake is going to be very difficult to distinguish from a real person and their voice in the future.

3. AI as a web programmer – There are tools on the market that allow us to generate a whole website using AI. Including the website content. Even though this topic is controversial for decent sellers, the tools are enough for the scammers. Their websites have short expiration dates; therefore, they don’t mind it not looking the best or not being liked by Google. The goal here is to create as many websites as possible and have as many victims on their accounts as possible.

4. AI, analyst, and editor – AI tools can analyze the success of a phishing campaign in real-time. And edit them accordingly, so they get more engagement. Including the grammar edits and design of the message.

5. Sophisticated screening of victims – Screening of social media users is quite time-consuming. Therefore, AI is a big help here. 

AI can recognize users’ hobbies and therefore guess their needs. Based on this information, it generates content that is suitable for the target audience.

What can help here is the AI regulations.

Don’t Underestimate Prevention

You can’t stop scammers trying to get in touch with you, but you can take steps to make it more difficult for them.

Here’s how to do it:

• Use spam filters, especially in Outlook or Thunderbird. Web versions of inboxes have it activated by default.
• Adjust the settings of your browser so the pop-up windows are blocked.

• Before you click on a link, first put a cursor on it and wait for a second. What you need to know is whether the link has the SSL certificate - the link must begin with https.
• Your bank tracks the phishing attacks and informs about them on its website. Check this before responding to any suspicious message.
• If you think you are a victim of phishing, immediately get in touch with the institution that should be involved. You should also contact the police.
• When entering information on a website or an app, always check the source. If something seems to be suspicious, contact its provider.

Avoid Looking Like a Phisher in Your Email Campaigns

If your emails look suspicious, you’ll not only lose potential customers’ attention but also trust.

Here are a few tips on how to write an email that doesn’t look like from a phisher:

1. Be friendly but not too much - Address your clients by their name. But there is no need to tell them who they are. This could look very phishy. You must know your clients well but the way to show them you care about them is by offering what they desire and what they need.
2. Make sure your URLs are transparent – Make sure your URLs are obvious to the reader. Also, avoid using shortened URLs. Always make sure your links are safe.
3. Always be professional – Stay professional. Use eye-pleasing design and communicate straightforwardly with your readers. Always check your text multiple times to make sure there are no typos and grammatical mistakes in it. 

Be careful with the usage of CAT (call to action). These are incredibly important for any commercial type of communication; however, you mustn’t urge your audience too much. Urging looks suspicious.

Ideally, be friendly, use concise language, and show your customers you care about them. Don’t forget to communicate the tone they’re used to.

To Remember

Phishing attacks are certainly going to be more and more common in the future. Especially, with the AI power. And tactics of scammers are going to change over time. 

Therefore, always be careful if someone whom you don’t know contacts you. And stay informed about the novelties in these dangerous waters.