Phishing scams are constantly evolving, and according to Scamwatch - SMS phishing, (or ‘Smishing’) and ‘Vishing’ (voice phishing, or over the phone) are now two of the most popular delivery methods based on amount of money lost as well as traditional email phishing.

Social engineering is a tactic used by cyber criminals to convince their target to comply with their wishes, and thus successfully deploy their attack. The use of cognitive biases including  authority, sympathy, or impersonation to name a few, are popular choices used in emails, SMS and voice calls and messages to set the scene for credential capture, malware installation or straight up theft of money.

Don’t fall for the curse of knowledge

One of the most common cognitive biases is the curse of knowledge, or the ‘Optimism bias’. This is where you might believe you are too clever to be tricked, and therefore your guard is down, or you don’t have secure passwords or apply any of the safeguards you might need to avoid a breach.  

The reason these popular tactics work, and continue to work, are because it only takes one person in an organisation to fall victim and compromise the network, devices, and data. Personally, it can mean unfettered access to a bank account or credit card number, or stolen personal information that could be sensitive or embarrassing if sold or revealed.  

Generative AI Risk

Generative AI is making the scale of these social engineering attacks immense. It can generate ideas and scripts that are known to convince, as well as automating the process and even designing the websites or code to deploy. AI can create these tools much faster than a single attacker or even a gang of attackers, meaning that they can attack more people, more often.

If your organisation has phishing awareness training in place, and you aren’t sure why you need to complete the training or, you assume that clicking on the link isn’t that dangerous – try to remember that it’s not a reflection of you: It’s to protect the employees from the ground up with a culture of security.

Let’s have a look at some common scams.

  1. Loyalty Point Program Scams:
  • How it works: Scammers impersonate loyalty programs from well-known brands that you likely already trust, they may even have a URL that is similar to the official domain.
  • What to look out for: Be cautious of emails or messages that offer loyalty points or rewards and ask you to click on a link to login to your account or provide personal information. A popular one for hotel rewards is the promise of the gift of their luxury pillows as a thank you, just pay the postage and it’s yours! The scam here is that they will verify your card is active, and then sell that information on, so you may not get unwanted transactions at first.
  1. Tax-Related Phishing Scams:
  • How it works: With tax time season, scammers target individuals by pretending to be from tax authorities offering tax refunds, or threatening with penalties or tax agents asking for updated details to process your return.
  • What to look out for: Official-looking emails or messages that prompt urgent action regarding taxes, often with links to fake MyGov websites (Or Work and Income/Studylink NZ) where personal details are harvested. A well-known scam that is now defunct, was harvesting MyGov logins in order to change the bank details on the ATO site, meaning many tax refunds were deposited into a scammers bank account.
  1. Customised Phishing with Generative AI:
  • How it works: Scammers use generative AI to create sophisticated and personalised phishing messages that can adapt and improve over time, and at scale.
  • What to look out for: Highly personalised emails or messages that seem too good to be true or that mimic the style of legitimate communications from companies or people you may know. Emails are just the beginning – with GenAI being used to mimic voices, and even faces – it’s more important than ever to verify before trust.

It’s important to keep in mind that legitimate communications from organisations will never ask for sensitive information through unsolicited emails or messages. It does happen, but even if real, It’s crucial to verify the source before clicking on any links or providing any personal information. Stay vigilant and when in doubt, contact the organisation or person directly through official channels.

For a demo of our training platform or a preview of a course from our course catalogue - contact us today!