Phishing is moving beyond the Inbox to your online experience in an effort to collect personal details and share out the attack on social networks, according to a new report from Akamai Enterprise Threat Research.
In a world where millennials have grown up with a device in their hand, inherently trusting everything they interact with on the web, cybercriminals are meeting victims where they are online, using a new type of phishing attack that gets the user to give up personal details.
Users surfing the web are unexpectedly redirected to a “Congratulations” page with either a roulette-looking wheel or a 3-question quiz. It’s an attack designed to gather email addresses and personal information to be used later as part of a subsequent spam campaign.
Cybercriminals leverage the visitor’s desire to win a prize, utilizing over 40 well-known brands, such as airlines, retail stores, and restaurants, to lull the victim into a false sense of security. To “win”, victims must a) share out the quiz on social media (further perpetuating the scam) and provide personal details.
According to Akamai, phishing campaigns like these “outperform” traditional campaigns with higher victim counts due to the social sharing aspect (which makes it feel like your friend on social media endorses the quiz).
While the current iteration of this scam seems to focus on the consumer, it’s not a stretch of the imagination to see this targeting business email – think of a scam pretending to offer catered lunch to an office, asking for name, phone, title, and company email – all the context needed for CEO fraud, data breaches, ransomware and more.
Organizations need to be educating their users through Security Awareness Training on these new types of phishing scams and how they can be used against both the individual (as in the case of CEO gift card scams) and the organization (in scenarios involving fraud, data theft, espionage, and more).