Our 2019 Phishing scams guide reveals all popular phishing attempts that have been reported against individual services. We reveal some of the top trending schemes that can both extract sensitive information from the victims or hijack their money — both real currency and cryptocurrency. Continue reading to learn how to protect yourself.
|Short Description||The 2019 Phishing scams aim to access sensitive data, money or cryptocurrency assets by using complex social engineering tricks.|
|Symptoms||Receiving email messages from unknown senders and suspicious sources.|
|Distribution Method||Mainly email messages .|
|Detection Tool|| See If Your System Has Been Affected by Phishing Scam |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Phishing Scam.|
2019 Phishing Scams — Overview and Main Distribution Methods
All popular 2019 phishing scams are deployed via email messages as the main distribution tactic. The victim recipients will be sent messages that are disguised as legitimate notifications from a service, program, product or another party that a certain type of interaction is required. Most of the times the scams are related to account activity, fraud transactions or password reset reminders. All of these are legitimate reasons for sending out activity messages and as such can easily be confused with the real notifications. In almost all cases similar sounding domain names and security certificates (self-signed, stolen or hacker-issued) will be implemented in the landing pages to confuse the recipients that they are visiting a safe site. Furthermore the legitimate design layout, elements and text contents can be copied from the legitimate sites.
Construction and maintenance of fake web sites can additionally lead to the delivery of the phishing messages. They are the second-stage delivery mechanisms as the email messages link to them. In many cases they can are placed stand-alone by the hackers by simply using a single letter change from the domain name of the desired spoofed service. Every time a computer user unknowingly mistypes the address they will be redirected to the fake address.
An alternative to these two methods is the reliance on social media profiles — they can be either stolen, hacked or hacker-made. Usually hundreds and thousands of profiles will generate predefined posts, private messages and profile information with the phishing scam links. To coordinate these attack waves the criminals usually acquire botnets of infected computers and databases of hacked user account credentials. Using automated tools and scripts they carry out the necessary scam delivery.
Phishing scams, especially some of the most popular examples, may also be redirected from browser hijackers which are dangerous plugins made for the most popular web browsers. They can be found uploaded to the relevant repositories with fake user reviews and developer credentials offering enhancements such as feature additions and performance optimizations. Their main goal is to redirect the victims to the phishing landing page in this particular case. Usual modifications include the default home page, new tabs page and search engine.
Various infected payload carriers may also be hosts of the phishing scams. Two popular examples are the following:
- Malicious Documents — The criminals can embed the necessary scripts that will redirect the users to the phishing scam in documents across all popular file formats: rich text documents, text files, presentations and databases. Links to the pages can be placed in the multimedia or interactive contents or automatically opened when the files are opened. In certain cases the documents may spawn a notification prompt requesting that the built-in scripts are run in order to “correctly view” the document or to enable the embedded functionality. If this is allowed the redirect code will be triggered.
- Software Installers — The redirect installation code can also be embedded application installers of popular software. Usually software that is often downloaded by end users is chosen: creativity suites, system utilities, productivity and office apps and etc. As soon as the installer is started or the installation process has finished a browser window or an in-app tab will be opened with the phishing landing page. The installers can be programmed to continue running only until the relevant user interaction has been recorded.
Already existing malware infections may additionally trigger the phishing landing page display. This is usually the case with Trojan horse clients. They will setup a secure and constant connection to a hacker-controlled server and allow the operators to spy on the victims, overtake control of their computers and also hijack information. As soon as control of the machines has been acquired the hackers can automatically open the browser window or when certain events are called by the victim users.
Hacked web pages of services, download portals, news sites and other commonly visited areas will mostly display phishing landing pages or lead to virus infections.
2019 Phishing Scams #1 — Apple Payment Scam
Apple-related scams are among the most widely distributed in 2019 which is seen as a continuation of the 2018 campaigns that were set against Apple ID users. At the start of this year we have received several reports of phishing tactics that attempt to coerce the victims into believing that they have received a legitimate message from the company. The medium of choice is once again email messages that are designed to appear as being sent by the company’s servers.
Unlike most other Apple scams the captured messages do not seem to copy the distinct text layout and elements of the real notifications. Nor in any case they are designed as particularly believable, there are several ways that the fake messages can be distinguished from the real Apple notifications:
- Source Addresses — The senders of the messages do not come from the official Apple site.
- Non-Apple Design — The text layout and body contents do not correspond to the way Apple notifications are made.
- Attached Documents — Apple will not send out documents related to account activity and especially in the .DOCX format.
The Apple payment scam can potentially affect thousands of users as many Apple users make online transactions through the company’s services. A security or privacy incident can lead to concerns surrounding the use of such services. This allows for social engineering tactics like this to take place.
2019 Phishing Scams #2 — Australian Government Contractors Phishing Scam
A dangerous phishing scam was detected on January 9 2019 when a security company found out about the active campaigns. According to the released reports a criminal collective has spoofed email messages that are designed to appear as being sent by the Australian Government. The recipients are tenders for commercial projects and the end goals of the phishing attempt is to ectract personal information pertaining to them or to the projects that they are working on. The way this is done is by impersonating a department invitation to bid to sealed tenders.
The option that is given to the recipients is to open an attached document called Australia Tender Invitation.pdf. The file contains a “Tender” button which redirects the recipients to a online landing page. When it is opened the users will see a copycat scam page that mimics the legitimate Department of Regional Development, and Cities registration page. The accompanying site will request personal information and account credentials from the victim visitors.
The security company has issued a list of guidelines that can reduce the risk of Tender-related messages:
- Organizations and companies should instruct their employees into spotting out suspicious emails. Larger establishments should invest in a cyber security awareness training programs.
- Opening up suspicious and unsolicited emails that contain links and attachments should be disregarded as potentially dangerous. Cyber security staff should be alarmed before any interaction is actioned.
- Looking out for all warning signs of phishing emails should be mandatory: poor grammar, spelling and punctuation. A generic reference such as “Dear Sir/Madam”, “Client”, “Customer” and etc .should be disregarded as legitimate messages will mostly address the person with their full name and relationship (client, partner, customer and etc.) listed with them.
- Larger organizations should invest in email authentication standards implementation and deploy the required filtering services.
- Advanced hacker attack campaigns can make use of the digital footprint available online. Harvested information from the Internet can be used to design personalized messages that can hardly be distinguished from the legitimate notifications.
- Double check that the senders of a suspicious message are indeed those who they claim to be. If possible verify by other means and alert system and/or network administrators.
2019 Phishing Scams #3 — TV License Phishing Scam Offers
Several criminal collectives have been found to target Internet users en-masse with tv licensing renewal and subscription prompts. Two are the main methods of distribution of the relevant messages — email notifications and SMS messages. In most cases the data about the victims is hijacked from the underground hacker markets and is based on identity theft. The criminals who are overseeing the campaign can personalize the messages and make them indistinguishable from possible legitimate messages. The only elements that can show the warning signs are the domain name and embedded elements that are not found with the relevant service. The official TV licensing website has posted numerous notifications about the scam tactics, an investigation has been started that aims to reduce the risks by eliminating the hacker collectives.
One of the disturbing characteristics is that the criminal collective have been able to harvest the mobile phone numbers of the recipients. The SMS messages that are sent out have a high chance of being actioned upon by the targets. They will state that a problem has been identified in the processing of their last TV license invoice. A link will be offered to a update their information — the accompanying warning will list that this is required in order to avoid a fine.
Whatever the method of distribution the landing page that is displayed will request personal information about the users and their payment card details. The fraud site requests full information about the purposed payment: full cardholders name, phone number, card number, verification code, expiration date and etc. Using the harvested information the criminals can carry out both identity theft and financial abuse crimes.
The TV Licensing site has posted tips on preventing phishing attacks in this particular case. They specifically state that the service will never email victims asking for personal information, bank details or direct payment data. Email messages sent by the official service will always include the full name of the recipients. The email subject lines can be used to scan for any of the typical ones used in attack campaigns: “Action required”, “Security Alert”, “System Upgrade”, “There is a secure message waiting for you” and others. The email addresses from which the warnings are sent should also match with the official domain.
2019 Phishing Scams #4 — DocuSign Phishing Scam
A large-scale DocuSign phishing campaign has been reported both by victims and the company itself. According to the released reports and notifications there are several hacking collectives that are orchestrating such attacks. There are two main types of the scam:
- Malicious Site — Scam landing pages are the most common signs of such hacking tactics. They will not be hosted on the official domain and fake or stolen security certificates will be added. Usually the links to the fake sites will be found in browser hijackers, malicious portals, email messages or redirects using short URL services. The destination addresses of these fake sites will direct the users to a landing page that will scam the into thinking that they have accessed a legitimate portal page owned by DocuSign. Interaction with any of them can also install spyware on the victim systems — Trojans, miners and ransomware. The dangerous characteristic of these infections is that they can happen merely by visiting the site using the built-in scripts.
- Email Message — The fake email messages will include a sender that does not originate from the DocuSign service. Many of the scam messages will contain attached PDF files — the service specifically states that such documents are sent only after both parties have signed it digitally. Other warning signs of the scam messages include generic greetings that and using words that will psychologically coerce the recipients into carrying out certain actions. Any use of pop-ups is a sure sign that the message is not legitimate. Example scam email subject lines include the following: “You received / got invoice from DocuSign Signature Service / DocuSign Electronic Signature Service / DocuSign Service”.
One of the newer waves of DocuSign related phishing pages uses another approach — it shows a DocuSign-branded portal page with links to popular services: Gmail, Outlook, OFfice 365, Yahoo!, AOL and “Others” stating that the contents of these services has been encrypted by the service. In order for the users to “unlock” or “decrypt” the files they will be led to a login page requesting their account credentials. If they are provided the criminals will instantly receive the information allowing them to carry out both financial abuse and identity theft crimes.
2019 Phishing Scams #5 — GoDaddy Email Verification Phishing Messages
Several user reports indicate that a new GoDaddy-themed campaign is underway by sending out email messages that pose as being sent by the hosting company. They will copy to a large extent the layout and contents of real notifications and instruct the victims into verifying their email addresses by clicking on a link button. This will most likely redirect them to a login page requesting their credentials. If this is done then the information will directly be transmitted to the hacker operators, consequently they will be able to hijack the GoDaddy accounts. The hosting plans are usually ordered through sign-up pages, as an effect of this various crimes can be undertaken — identity theft and financial abuse.
Clicking on the links can also lead to other dangerous consequences:
- Malicious Redirects — Following the account theft operations the GoDaddy scam page can redirect the victims to other dangerous web pages. Examples include portals that distribute viruses or ad sites that contain intrusive banners, pop-ups and miners.
- Analytics Gathering — The sent emails can contain scripts that will track the users engagement giving further information about their habits to the hacker operators. This can be used to optimize the future attacks.
- Payload Delivery — As soon as the email message is loaded or the accompanying site is visited other threats can be deployed to the victims as well. They range from file-encrypting ransomware to Trojan horse infections that allow the operators to take over control of the victim machines at any given time.
If the first wave of GoDaddy phishing emails prove successful and are able to hijack user accounts then the criminals behind it may choose to launch improved versions. Typically such attacks are targeted against certain types of users or set against a certain time period.
2019 Phishing Scams #6 — ProtonMail Login Pages Scams
Recently many users reported being redirected to a fake ProtonMaiil landing pages. They are made to copy the design of the legitimate email service and coerce the victims into entering in their details. The ends goal of the criminal collective behind it is to acquire as many user accounts as possible. Most of these phishing scams are done in order to access the private email inboxes of the victims, however there are other cases where such data can be used:
- Identity Theft — The ProtonMail service is widely used to hide the identity of the people subscribed to it. As such access to their private messages can be used for identification of their personal information. The obtained data can be used for blackmail purposes.
- Sale of Data — The obtained information can be recorded in databases which are then sold on the underground markets.
- Malware Distribution — The accessed inboxes can be setup to send out malicious samples of all kinds.
There are many sources of the ProtonMail phishing scams, the most common ones include website redirects, malware pop-ups and banners and email messages. The emails are sent in a bulk-like manner and coerce the victims into interacting with the built-in content. They may copy the design of legitimate notifications which makes it harder to distinguish the real from the fake ones.
2019 Phishing Scams #7 — Fake Facebook Login Pages
In early February 2019 there have been several reports of fake Facebook login pages that are widely distributed using the popular methods mentioned earlier. This is a typical case of a copycat scam site which has taken the original design and layout of the social network and is attempting to deceive the visitors that they are accessing Facebook. Links to such services are usually embedded in phishing email messages that may appear as being sent by the popular service. Instead of leading the users to the legitimate login page they will be shown the copycat address. The visitors can tell the difference only from their domain name.
2019 Phishing Scams #8 — Fake BT Login Pages
An attack campaign carrying fake BT login pages has been reported to us recently. The tactic is to make the visitors believe that they are accessing the legitimate BT service. Successful attempts at infecting targets en-masse include both the traditional email phishing scams and links sending via social networks. This is done via hacker-made or hacked accounts that will post links to the malicious site. In most cases they will be offers or “account change information” — to the victim users will be explained that they will need to login to their profiles and “verify” their identity.
The other strategy that is used in this context is the “special offers” one. Through the hacker-created profiles, email messages and other communication channels the victims will be promised exclusive deals if they login to their account through the fake login page.
2019 Phishing Scams #9 — Fake Netflix Login Pages
One of the most popular approaches to scamming victims is to send out bulk email messages via email messages that will lead to the fake Netflix login screens. The goal of the hackers is to coerce the victims into entering in their account credentials via the login form. They are hosted on similar sounding domain names, utilizing security certificates and copying the body contents and design.
There are many alternative forms which can all be launched at the same time:
- Search Engine Placement — The malicious sites can be designed with search engine optimization in mind. They can rank high among the search results thus confusing the victims that they are accessing the legitimate site.
- Social Network Posts and Messages — Using hacker-made or stolen account credentials the collective behind the Netflix phishing scams can constrct various forms of campaigns on these networks. A popular variant is the posting of special “offers” and “deals” — the victims will be told that they have to enter in their login credentials.
- Malicious Ads — Using hacker-controlled sites and intrusive ads (placed on relevant networks) the hackers can run campaigns that point to the dangerous sites.
All kinds of changes can be expected from the Netflix campaigns.
2019 Phishing Scams #10 — Fake VK (Vkontakte) Login Pages
VK is one of the most popular social networks worldwide, it is one of the most visited sites in Russian-speaking countries and is also a target for phishing scams. The reason why they are popular with criminals is because VK can be accessed both via desktop and mobile clients and also apps for most of the popular devices. As such phishing attempts can be made via a wide range of strategies. Some of them are the following
- Fake Websites — One of the most common ways is to construct fake sites that pose as the legitimate domain. They are hosted on similar sounding domain names, include fake security certificates and replicate the design and layout of the legitimate VK page. They can be positioned high on the search engine ranking and this factor is used to lure in victim users that may not differentiate the fake from the real address.
- Social Media Posts — The hackers can use specially made or stolen credentials that can link to the fake VK site. Usually they are profile links, media or special deals — all of them are created in a way that entices the targets into clicking on them.
- Ad Campaigns — The malicious VK sites can be spread via malware ad campaigns that can be found across websites displaying such content.
- Email Phishing Messages — This is one of the most popular methods — the criminals will run campaigns that imitate legitimate email notifications from well-known services or products. Whenever they are interacted with the fake pages will be displayed.
Other methods can be used as well, this list contains only a small sample of the possibilities for redirecting the victims to the fake VK sites.
2019 Phishing Scams #11 — Facebook Warning Account Disabled Scam
In 2019 a Facebook related scam has been detected which uses malware pages that bear the title “Warning Account Disabled”. They are constructed with bland design, still containing a layout that has a similarity with the social network. This is done in order to grab the attention of the targets — they will see that there that the page may be hosted by Facebook and that they have issued a warning screen. Using the Facebook logo and the design layout which is familiar they might be enticed into entering in the requested information. The captured samples request the following data:
- Email Address
- Webmail Type
- Password Mail
- Security Question & Answer Combination
There are multiple ways in which this scam can be deployed to the recipients. A popular scenario is to send out links to the page via scam email messages. They appear as being sent by the social network and will coerce the victims into clicking on the link which will direct them to the phishing page.
Various malicious domains that may appear as being owned or affiliated with Facebook can be created — they will feature links, security certificates and elements thus appearing as being part of the social network. Various posts, pages, users and other in-Facebook content can also be created to spread the site.
2019 Phishing Scams #12 — Chase Phishing Scam
Clients of the Chase Online banking service should be very cautious as there are several identified attack campaigns that distribute fake phishing pages. They are designed as verification steps and use body design and layout that is used by the institution in their registration forms. The page asks for the following fields to be populated with the client’s information:
- User ID
- Email Address
- Email Password
The fake Chase login pages are popularly distributed via the most widely used tactics. One of them relies on email SPAM messages that contain phishing tactics — they pose as legitimate notifications sent by Chase. Effective examples include messages that claim that the accounts need to be verified in order to be activated after a fraud alert has been activated.
Another technique relies on the creation of multiple websites that can either copy or link the main site on several domains. They are usually under the disguise of download portals, search engines, landing pages and etc.
2019 Phishing Scams #13 — Barclays Phishing Scam
A distinct attack campaign is active against Barclays online banking users. They will be targeted with counterfeit “Account Verification” pages. They look like legitimate registration process steps. The criminal collective behind this scam has copied the body design layout, text contents and other elements (header and footer) in order to create a scheme that cannot be easily distinguished from a real Barclays page.
The fake web pages are hosted on similar sounding domain names, may contain strings that refer to products or services that the company offers and even present signed security certificates. All of this is done in order to make the visitors believe that they are accessing a page hosted by the bank.
Other methods that can be used to distribute links that redirect to the Barclays phishing page include the following:
- Social Media Links — The hackers can use their own created profiles or stolen ones in order to run mass campaigns against Barclays users. This is done by pretending to be representatives of the bank. The content can be shared both in pages, posts and direct messages.
- Browser Hijackers — Dangerous web browser plugins can be created which contain the redirect instructions to the phishing page. They are usually made compatible with most of the popular web browsers. These plugins are then uploaded to the relevant repositories using fake developer credentials and elaborate descriptions.
- Email Campaigns — The criminals can craft email messages that contain phishing elements leading to the Barclays scam redirect. They can be designed in order to appear as being sent by the financial institution.
- Ad Campaigns — Malicious and intrusive ads usually link dangerous contents like this instance.
As the campaigns continue to operate we may see updated versions as well as other methods employed by this or another collective.
2019 Phishing Scams #14 — Google Translate Phishing Scam
In the beginning of February 2019 a worldwide phishing campaign has been detected which is being operated by an unknown hacker collective. Instead of the standard bulk emailing of intended targets the criminals are using an alternative method. The hackers instead created malicious web pages that start with the string associated with the service — “translate.google.com”.
These domains are linked in a bulk phishing email campaign which is designed to pose just like a legitimate Google notification that the user’s accounts are being accessed by an unauthorized party. A call-to-action button is placed in the body contents which will manipulate the targets into believing that they have to interact with it in order to secure their accounts. A login page will be presented that will request the Google account credentials.
2019 Phishing Scams #15 — Binance Phishing Scam
Binance is one of the most popular cryptocurrency exchanges which is used by coin holders worldwide. As a trusted choice by many it has also caught the eye of criminal groups who have orchestrated numerous phishing attacks both account holders and other target groups.
Some of the most popular methods are to create fake websites that pretend to be the legitimate Binance home or login page. The hackers will use similar sounding domain names and even hacker-generated security certificates in order to make the sites look and feel legitimate. Users are advised to verify that the SSL domain names correspond to the official ones used by the company — *.binance.com or *.binance.co. The Binance staff also recommends that that two-factor authentication is enabled. The digital back end keys should not be disclosed to websites or services even if rpompts, pop-ups and other content says so.
The criminals can also craft email SPAM messages that attempt to confuse the victims into thinking that they have received a legitimate service notification. They are designed to replicate the design and text contents of the real service and include links to the phishing sites.
Two distinct cases of fraud Binance staff have been reported by the company as well. In one of the cases a fake hotline (tech support scam) has attempted to scam the visitors. The tactic employed by the criminals is to create websites that contain keywords like “Binance”, “Support”, “Help” and other string combinations. When they are accessed through search engines they will redirect the victims to a login page where their credentials will be requested. If e
Via social networks the criminals can construct fake profiles through which they can impersonate Binance staff. This is often done via platforms like Twitter and Facebook where a large number of victims can be gathered. There are several different types of phishing scams that can be done via this method:
- Warning Posts — The hacker accounts will post safety instructions to better protect customer accounts. The guides will be hosted on hacker-controlled domain names to which the posts will link to. As soon the users enter in their Binance login details they will be sent to the hacker controllers.
- Personal Messages — The criminals can also send direct messages to the victims and attempt various tech support scams. A common one is that their accounts have been accessed by an unauthorized person and Binance needs their cooperation investigating it by providing their account credentials.
- Donations — Using fraud promotions the criminals will advertise large giveaways. To enter them the Binance account holders will be persuaded into transferring large sums of money to hacker-controlled wallets.
Remove 2019 Phishing Scams from Your Computer
In order to make sure that the 2019 Phishing Scams are fully gone from your computer, we recommend that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal manuals so that they can help you delete this threat based on your malware removal experience. If manual removal is not exactly something that you feel confident in doing, recommendations are to remove this malware or check if it has your infected your computer automatically by downloading and scanning your computer via an advanced anti-malware program. Such software will effectively make sure that your PC is fully secured and you passwords and data remain safe in the future.