Phishing Scams Target Some of the Biggest Online Brands

Amazon and PayPal are the best ways to make financial transactions online. WhatsApp is the secure messaging service with end to end encryption. Everyone uses Facebook and Gmail. What could go wrong?

If you think the best-known names on the internet are safe, it’s time to think again. Online criminals are getting smarter and sometimes the bigger the brand, the more worthwhile it is to invest in a scam that will actually fool people.

In the past, phishing emails were easy to spot, with bad grammar and spelling mistakes a native speaker wouldn’t make. Today, scammers not only use perfect English, they’ve often expertly matched the logo, style and URL, so it takes a careful comparison to see the difference. Meanwhile, legitimate sales platforms, such Facebook Marketplace, are full of people trying to convince you to hand over money for nothing in return.

Don’t assume anyone online is telling the truth unless you have verification from an independent source. It takes only a few seconds for hackers to steal financial details or infect your computer with malware that will allow them to access personal information. Help protect your privacy and safeguard the entire family’s reputation with ReputationDefender’s online privacy services. We’ll tell you about system vulnerabilities before they become a problem and help you deal with leaks after the fact. We’ll also keep you up-to-date on some of the most recent scams.

Companies to Double Check

Here are 6 well-known companies that have recently been targeted by scammers.

  • Amazon – Hackers have been sending convincing receipts for products that were never purchased complete with a link to follow if you want a refund. Don’t fall for it. Open a new browser window and sign into your real Amazon account to check your orders.
  • Apple – A group of scammers have been caught trying to convince people to pay off tax debt with iTunes gift cards. The message may come as a phone call, text or email claiming to be from the HMRC, but fraudsters ask for iTunes vouchers, which can be sold or traded anonymously, to pay off the overdue tax. The HMRC would never communicate in this manner and Apple doesn’t use iTunes as payment ‘outside of official stores’.
  • Facebook – Facebook Marketplace isn’t even a year old and it’s already full of scammers. Since there is no official payment method, it’s up to buyers and sellers to make an agreement. A number of fraudulent users have been insisting on payment via bank transfer, but once the money is turned over the product is never delivered and messages are blocked. Never agree to a bank transfer with someone you don’t know well; there are too many ways this can go wrong.
  • Google –A new Gmail scam has been scarily effective, even with tech savvy people who don’t usually fall for phishing. The trap appears to be an attached file from a contact, but instead it’s an embedded image which will take you to a Google sign-in window when you click on it. The window also appears legitimate, complete with ‘One Account, All of Google’ at the top of the page. However, once you enter your login details hackers have complete access to your account and start to target your contact list almost immediately. The only way to spot this scam is by noticing a subtle difference in the URL which begins with ‘data:text’ rather than ‘https’.
  • PayPal – Look for a warning that claims there’s been ‘unusual activity on your PayPal account’. The scammers have cleverly copied enough identifying marks to make the email look legitimate, but the clicking on the link will give them access to your account.
  • WhatsApp – WhatsApp users have reported messages claiming to offer free Sainsburys gift cards in celebration of new stores opening. Unfortunately the message has nothing to do with Sainsburys and clicking on the link will install malware that allows hackers to steal information from your phone.

New phishing scams appear all the time. Learning to recognise the signs will help protect your reputation and keep your information secure. For further questions or concerns about phishing scams, contact our experts at ReputationDefender.

How Can I Avoid a Phishing Attack?

Phishing attacks are scams that trick people into exposing financial details and other sensitive data. Phishing is not new; this type of online attack has been around almost as long as the internet, but today’s schemes are more sophisticated and harder to detect than ever. In the past, all but the most naïve could see through badly written requests to transfer money or suspicious-looking prize notices. This is not the case with modern phishing schemes which often resemble official communications so closely it’s hard to tell the difference. Some hackers take the time to learn co-worker’s names and personal details to make them appear even more convincing.

Phishing scams pose numerous risks. The most common scenario is a virus that will infect a computer through a contaminated link or a compressed document. Malware delivered through phishing can steal personal information, including financial details, or it may contain ransomware that will encrypt computer files and hold them hostage until you pay a fee. Most viruses have the ability to spread and infect an entire company network and businesses are frequently targeted since they have more resources and incentive to protect their data.

Falling prey to a phishing attack leaves a company vulnerable to financial theft, as well as leaks that could release trade secrets and confidential information. Compromising data released to the public causes reputational damage that’s hard to undo. Experts at Reputation Defender work to safeguard client reputations through regular privacy audits that catch problems as they emerge. We also help to repair online reputation by creating and promoting positive content.

Types of Phishing Attacks

There are basically two ways a hacker may design a phishing scheme:

  • Mass-scale phishing – A general attack that includes many different methods of communication. A lot like casting a large fishing net, mass-scale attacks do not target a specific person. However, they may include numerous semi-random attempts aimed at discovering the weakest link in a company’s network – the one employee gullible enough to click on a random link or reveal their password to a stranger.
  • Spear-phishing or Whaling – Spear-phishing is a targeted attack aimed at a specific person or a group of people. This type of phishing attack often includes details that make the included information seem legitimate. Emails can be designed to resemble personal office communication or a typical business invoice. Whaling is a type of spear-phishing that targets high-level personnel, particularly the CEO. Hooking these so-called “large fish” gives cyber criminals easier access to sensitive company data and financial accounts.
Methods of Delivery

Fraudsters have found even more creative ways to deliver links, through email, phone calls, text messaging and social media feeds.

Email phishing

A phishing email often looks like a generic notice from a well-known company or a bank. Cyber criminals have been known to copy logos from PayPal and eBay well enough to avoid detection. Typical scare tactics include warnings that the account is insecure, the password has been changed or there is a payment past due. Phishing emails usually include a CTA asking victims to click on a link or open an attached document. A targeted spear-phishing email may reference a colleague or a boss.

Things to look for – Many phishing emails still have small spelling mistakes or grammatical errors that a native speaker wouldn’t make, so this is the first thing to check. A missing email signature is another red flag or a form of address or writing style that’s not normal. Sometimes the only way to detect a phishing email is through slight changes in the email or domain name, such as the use of zeros instead of the letter “O” or “rn instead “m”. These can be easily missed, so if anything seems off, double-check the email address and domain name carefully.

Voice phishing – Vishing

Phone calls are another phishing technique (called vishing) which is aimed at getting individuals to hand over financial details or personal information. Like email phishing, vishing is often based on scare tactics that encourage victims to take action quickly without thinking about the consequences. Fraudsters may warn that a bank account is in danger or they may threaten legal action if a bill is not paid. Between 2013 and 2016, almost 900,000 people in the US received vishing calls purporting to be from tax collectors with IRS. These calls resulted in 5,000 victims with collective losses of USD $26.5 million.

Things to look for – Asking that bills be paid over the phone is unusual, so this should be an immediate warning. Banks also rarely ask for financial details or personal information over the phone. Don’t give details out unless you’ve made the phone call yourself to an official number and you know the counselor you’re speaking with well enough to recognize his or her voice. Other things to watch for are masked numbers or unknown caller ID.

SMS phishing – Smishing

Text messaging is another phishing technique that has come to be called smishing. Smishing messages often resemble phishing emails; they can come in the form of fake account notices with a CTA link. Some cyber criminals have even been known to use smishing to highjack a two-party identification system, first by requesting a password reset on your account, then sending a text asking for the code you just received in order to fix ‘’unusual activity” on that same account.

What to look for – Unusual or unfamiliar numbers should be a give-away, as well as unsolicited messages or codes you haven’t requested. Unless this is a company that normally sends texts, you should wonder why they are using this form of communication.

Social Media Phishing

Phishing schemes have also infiltrated social media. Fraudulent posts may claim you’ve won the lottery or ask you to click and sign up for membership. Targeted attacks often pretend to be from a friend who’s opened a second account. Some scams may even come from a regular account that’s been hacked.

What to look for – Watch for irregularities (why would a friend choose to open different account?) or language that doesn’t sound like the person you know. Be suspicious of sponsored posts from unknown businesses and links included in comments made by people you don’t know well.

Avoid Getting Hooked

Avoid all forms of phishing with these basic guidelines:

  • Don’t click on a link in an email or a text message unless you’re sure who the sender is.
  • Be wary of unsolicited messages and unusual account notices. Verify with the company before taking any action.
  • Always sign in to your accounts via a trusted app or by entering the URL in your browser. Don’t use an embedded link even if you think it’s legitimate.
  • Double-check any communication that’s doesn’t follow normal protocol. It never hurts to follow-up with an old fashioned phone call to make sure the message is from the real sender, especially if there’s money or confidential information involved.
  • Don’t transfer money without verifying who’s asking for it and where it’s going.
  • Don’t give out personal information over the phone.
  • Don’t fall for scams that seem too good to be true. They probably are.