Scammers have adopted new tactics to ensure the success of their phishing campaigns ahead of Black Friday and this year's holiday shopping season at a time when consumers have eschewed retail stores in favor of online shopping.
According to a new report from the email security company Inky, scammers have stopped including malicious links and attachments in their phishing emails as anti-phishing technology has become much more effective at warding off even the most sophisticated attacks. Instead, they've begun crafting emails designed to impersonate big brands like Amazon, Target and Walmart.
These emails which resemble an order confirmation from an online retailer are harmless when opened and don't contain any malware whatsoever. However, they do include a phone number that potential victims are instructed to call if they believe the order or shipping confirmation was sent to them by mistake. Receiving an email for items you didn't buy can be troubling especially if you believe you've fallen victim to identity theft. This creates a sense of urgency and victims often end up calling scammers on their own accord.
If a user does call the number included in one of these emails, someone working for the scammer on the other end of the call will try to extract their payment details and other financial information.
Phone scam threats
Over the summer, Inky saw so many of these emails impersonating retail brands that its engineers created a new threat model called Phone Scam. In the four months since this new threat model was rolled out, the firm detected 24,275 of these attacks targeting its customers and this number has steadily increased with Black Friday and Cyber Monday just around the corner.
At the same time, these messages are sent using free email services like Gmail and Hotmail which makes it much easier for them to pass email authentication protocols like DMARC. So far Inky has seen scammers use this threat model to impersonate Amazon, PayPal, Target, eBay and other popular online retailers and mobile payment apps.
To avoid falling victim to these Phone Scam email threats, Inky recommends that potential victims carefully inspect the email address, writing and content of these emails to see if they are legitimate. Alternatively, you can also open your browser and head to Amazon, Target or the website of any retailer mentioned in these scams and check your order history to see if you or someone else in your household might have ordered the item you've received an order or shipping confirmation for.
Other ways to protect yourself online during this year's holiday shopping season include installing antivirus software on all your devices, using a VPN service when shopping especially when connected to public Wi-Fi and using a password manager to generate and store strong, unique passwords for all of your online accounts.