Crime never sleeps, and to a hardened criminal organization, every crisis comes with an opportunity. Based on the news reports we’re seeing, it appears that this is a great opportunity for those in the business of scamming, hacking, and phishing.
Every large web company in the world will have its own procedures and protocols to follow in the face of wide-spread phishing attacks, but Google sees and tracks more of the activity than any other company. This week, it had some alarming news to share. During the seven days from April 5th to April 12th, the company had to take direct action to stop more than one hundred and twenty six million phishing attacks. That’s a truly staggering number, and yet it’s likely to be just the tip of the iceberg. These are only the attacks that Google was able to identify, step in, and prevent or shut down. The total number actually carried out is likely to be far, far, higher.
Given that most phishing attempts are fairly easy to spot for the average web user thanks to a combination of implausible content and poor spelling, it’s all a numbers game to the people who carry out the attacks. They only need one in a million people to respond positively to their attempts, and they’ll still make money. To them, it’s like playing the popular game Rainbow Riches mobile slot. You can spin the reels of an online slots game ten, twenty, or thirty times in a row sometimes without anything happening. Then, all of a sudden, you’ll go for one more spin, and the online slots game you’re playing will pay out big money even though the action taken by the player hasn’t changed. Just as online slots players know that the law of averages is on their side so long as they keep on spinning, people who go phishing know that their technique doesn’t need to change so long as a few people are still taking the bait.
Generally speaking, the attack is carried out the same way that almost all phishing is performed, via the sending of a ‘bait’ email that misrepresents the origin of the message. Popular fabrications include either pretending to be a national government wanting to send out financial aid. In some cases, the scammers are even pretending to be the employer of the targeted person, and appearing to transmit information about furloughs or financial assistance.
At the time of writing, Google is intercepting around eighteen million phishing attempts every day and is working on its artificial intelligence software in an attempt to make it even more robust when it comes to identifying and intercepting phishing attempts before they happen. The company is also providing them with assistance to make it harder for scammers to spoof their domain names and extensions, thus making it more difficult for a phishing attempt to look genuine. No attempt at prevention will be one hundred percent effective, though, and so it’s more important now than ever for users to be vigilant when checking their emails.
The most important point to remember is that almost no legitimate organization will ever ask you to submit your bank details via a form that arrives by email. If you receive any such communication, contact the organization in question using a phone number on Google – never the phone number that comes with the email – to verify that the transmission is genuine before taking any action. It’s also just as important to verify that all of the links that appear in such emails go where they appear to go. Hover over any ‘click here’ buttons to see the URL that you’ll arrive at if you click on it. Do the same with links that appear in the next. If you have any doubts at all – no matter how slight – delete the email and take no further action.
While most phishing attempts work by attempting to send you to a specific URL and asking you to part with personal information, some will instead try to persuade you to open an attachment. The attachment contains a piece of malware and will compromise the security of your system if you open it. Never open an attachment if you’re unsure of its source, and be suspicious of any emails with attachments that you weren’t expecting to receive. Ideally, you should use an email management program that comes with automated virus scanning, as this will identify any threats before you get the opportunity to open them.
Both the National Cyber Security Centre in the United Kingdom and the Department of Homeland Security in the United States of America first noted and reported a sudden spike in the volume of phishing and scamming traffic online on April 8th. Both organizations noted that the spike seemed to be timed with the shift from people working in offices to working from home when users would begin to use their home computers more than they otherwise would and would also potentially be working without the benefit of network-wide virus and malware protection, as they would if they were still in the office.
The sophistication of the latest scams doesn’t appear to be any greater than it has been for the past few years, but with so many people at home anxiously checking for information on the internet, the vulnerability of the public online is probably at a higher point now than any point in the past. Google will continue to do whatever it can to stem the tide – as will every major ISP and tech company – but ultimately, it falls to individual users to remain vigilant and operate common sense when dealing with communications in order to stay safe.