18 February 2022: During 2021, cyber-fraudsters involved in the creation and distribution of spam and phishing tried to lure users using topics focused on lucrative investments, online streaming of global movie or TV premieres and themes related to restrictions, requirements and benefits of the ongoing pandemic. These are the key outcomes of Kaspersky’s Annual Spam and Phishing Report.
While not being too complex technology-wise, spam and phishing attacks are often based on sophisticated social engineering techniques. That is why such attacks are considered quite dangerous for an unprepared user. Spam is a type of malicious activity that involves massive or targeted email disrtibutions. The goal of the fraudsters behind these schemes is to promote various products and services among internet users and to lure targets to either engage in a dialogue, click a malicious link or open a malicious file attachment. Phishing often takes the form of a spam email paired with a malicious copy of a legitimate website. These copies collect private user data or encourage the transfer of money to fraudsters. As the results of the Kaspersky Spam and Phishing in 2021 report shows, last year cybercriminals used many popular topics to scam users.
Investments in cryptocurrencies or stocks was one such topic – in these scams users were offered potentially great, “100% safe” opportunities to invest their money, which of course wasn’t true. In reality these offerings served one purpose – to make victims transfer their money to fraudsters.
Scams based on world movie premieres, also spotted by Kaspersky experts, were similar, but in this case criminals were offering early access to a streaming of a recently premiered blockbuster. Usually users would be shown a trailer or introduction video, after which they would be requested to enter their payment details to continue watching. Of course, if a victim did pay, they would not get access to the desired content, but lose their money. The scheme remained quite popular in 2021; based on Kaspersky experts’ observations almost every big movie or TV series premiere of the year, along with big sporting broadcasts were accompanied by the appearance of themed scams like this.
The other big topic exploited by phishing fraudsters in 2021 was the pandemic. Here, criminals created schemes around two big themes: compensation from governments and health organisations, and access to vaccination certificates.
In the first case victims were “informed” that they were granted with compensation from their government’s pandemic-related support program, but in order to get the compensation a victim would have to pay a small transaction fee. Of course, these offers were not true and criminals used them to obtain money and bank details.
The other type of pandemic-related phising and spam scheme is connected with sales of vaccination certificates. Victims were offered to get a vaccination certificate, which would allow them access to public spaces and travel, without having to go through the vaccination procedure. While some underground forums would indeed offer such services, nothing prevented criminals from making fake promises in exchange for money. As getting a vaccination certificate without having a vaccine is illegal, it is highly unlikely that the victim of such a scam would report it to police. And this is what the criminals behind these scams are hoping for.
Frequently during 2021 Kaspersky experts have seen how fraudsters have used pandemic-related scams in an attempt to get access to a network of corporations. In these cases the content of a spam or phishing email would inform an employees of a targeted organisation that they are they subject of specific pandemic compensation. In order to receive it though, a victim must confirm their corporate account on a specific web page. If successful, this process allows criminals to gain access to corporate infrastructure and credentials.
“Widely discussed topics such as money, movie premieres and worldwide happenings, like the pandemic, have always been ‘bread and butter’ for scammers. We keep seeing it return, from year to year and it doesn’t look like criminals will stop anytime soon. This is mostly because these scams prove to be very efficient as people continue to trust too much of what they see in their inboxes and browsers. We believe it is important to be aware that there are a lot of offers out there that seem ‘too good to be true’. We call on people to be cautious when it comes to trusting what’s in their email, as this approach may help them save their private data and money”, said Tatyana Sherbakova, Security Expert at Kaspersky.
In order to avoid becoming a victim of spam or phishing-based scams, Kaspersky experts advise the following:
- Only open emails and click links if you are sure you can trust the sender
- When a sender is legitimate but the content of the message seems strange it is worth checking with the sender via an alternative communication channel
- Check the spelling of a website’s URL if you suspect that you are faced with a phishing page. If you are, the URL may contain mistakes that are hard to spot at first glance, such as a 1 instead of I or 0 instead of O
- Use a proven security solution when surfing the web. Thanks to access to international threat intelligence sources, they are capable of spotting and blocking spam and phishing campaigns
Read more about Spam and Phishing in 2021 in the report published on Securelist.com