In the ever-evolving digital landscape, cyber threats have become increasingly sophisticated, posing a significant risk to our online security. Recently, I’ve observed a surge in phishing attempts targeting my email addresses, particularly the corporate ones. While it was relatively simple to identify these deceptive tactics, the phishing landscape in 2023 is very different. The level of sophistication of these attempts, the way how e-mail messages are crafted, suggests a potentially higher success rate, making it more crucial than ever to stay informed and alarmed.

In this blog post, I’ll show some of the latest examples and tactics and help to identify the phishing messages.

What is phishing?

Phishing is a type of cyber attack where attackers impersonate legitimate organizations or individuals to trick victims into revealing sensitive information. This could include passwords, credit card numbers, or social security numbers. Typically, phishing is carried out through deceptive emails, text messages, or websites, which appear authentic and prompt users to input their personal details. The stolen information is then used for fraudulent activities, such as identity theft or financial fraud.

Phishing attempts in the past

In the past, the vast majority phishing attempts were often quite easy to spot. You might receive an email that was supposedly from your bank, but it was full of spelling mistakes and poor grammar. The email might ask you to click on a link and enter your account details to confirm your identity or avoid some kind of penalty. The link would lead to a website that looked a bit off, maybe the logo was blurry or the layout was different from the official site. The email address it was sent from would often be a random string of characters, or a misspelled version of the bank’s name, which was a dead giveaway that something was fishy.

Of course there always were professional threat actors out there, who would have a completely different level of sophistication. But normally they would not target an “average” digital citizen.

Recent development in phishing campaigns

At the end of 2022 pretty much around the same time when ChatGPT was introduced to public, I have noticed that a lot of phishing e-mails started to get passed the spam filters of my e-mail provider. At the same time the quality of the e-mails started to be much better than it used to. These messages were not as clumsy, had almost perfect grammar and some of them were even able to spoof the original domains names.

Below you can see an example of a recent message, written in pretty good Finnish. Of course, a native speaker can spot some weirdness, but nevertheless I consider it to be a good example.

This message is suggesting that the recipient (and a potential victim) is subject for a tax return. He will need to follow the link to the tax office, which will actually lead to the scam website.

OmaVero phishing attempt 2023

Why did I find this particular attempt to be notable:

  1. Surprisingly, my email filters didn’t flag it as a phishing attempt. I had to manually mark it as spam.
  2. The sender’s email address was from a random domain, which is common for phishing e-mails. But remember, sometimes these domains can be spoofed to look legitimate.
  3. The message’s grammar and wording was a bit off, but as for example an expat in Finland, you might overlook this and fall for the scam.
  4. The timing was spot on. These phishing emails started popping up around early Autumn, just when Finnish tax refunds are usually paid out. So, people who are expecting these refunds are much more likely to become victims of these emails.
  5. It’s important to note that Tax Authorities will never ask for your bank details via email. However, if you haven’t provided your bank account number to the tax office, they might request it (usually through a more secure digital channel or by sending regular mail). So this behavior to ask for additional information (bank account number) is not totally unexpected = 1 more chance to become a victim of the scam.
  6. The email had a random reference number in the subject field, making it seem more legitimate.
  7. The logo and color scheme used in the email were very similar to the actual tax office’s, making it harder to immediately identify as a scam.

How to not become a victim of the scam

To wrap up, here are some simple guidelines to help you avoid falling victim to these scams.

  • Always be skeptical of unsolicited emails asking for personal information.
  • Check the sender’s email address carefully and look out for any spelling or grammar mistakes in the message.
  • Don’t click on any links or download attachments from suspicious emails.
  • Remember, legitimate organizations like your bank or tax office will never ask for sensitive information via email. If you’re unsure about an email, contact the organization directly using a phone number or website you know is genuine.

Stay vigilant, stay informed, and you’ll be well-equipped to dodge these phishing attempts.