15 real-world phishing examples — and how to recognize them

How well do you know these crafty cons?

phishing hack scam malware binary code
Thinkstock

You think you know phishing?

Even though computer users are getting smarter, and the anti-phishing tools they use as protection are more accurate than ever, the scammers are still succeeding. Lured with promises of monetary gain or threats of financial or physical danger, people are being scammed out of tens of thousands of dollars. Corporations lose even more — tens of millions.

These cons continue to work because they have evolved to stay one step ahead of their marks. If they didn’t change, they would fail. And then their creators would be looking for a real job.

Here are 15 real-world phishing examples that could fool even the savviest users.

More on phishing:

2a deactivation scares
Roger Grimes/IDG

Deactivation scares

This is a lure that often works because nothing scares people into reacting quicker than a deactivation notice. You have probably gotten one of these. You probably got one today. Rarely a day goes by when we don’t get an email pretending to come from an organization we might – or might not – belong to. It claims your account will be deactivated if you don’t follow a convenient link, enter your logon name and password, and take immediate action – probably to update your credit card. These were once easy to spot. But these days, they look incredibly realistic. They might include real links to the company they claim to be from. They probably even include “Beware of scammer” warnings or reassuring “Scanned and Cleaned by AV” notices. It’s easy to ignore these phishes if you don’t have an account with the companies they claim to represent. But if you do have an account, and you have recently moved or cancelled a credit card, you might assume you are taking care of business by dealing with this quickly.

2b deactivation scares
Roger Grimes/Thinkstock

Deactivation scares: The solution

Every time you click on a link, look at the browser bar and see if matches exactly the one you would type in to go to your account. Better still? Make a habit of closing the email and typing the website address into your browser for anything like this.

3a look alike websites
Roger Grimes/IDG

Look-alike websites

If you followed a link like one from the last slide and looked at the website, you might have felt an instant moment of recognition and reassurance that you are in the right place. It has become very difficult to tell the difference between a phishing website and a real website. The fakes are accurate copies and they contain the real website’s URL as part of their own URL. But if you look at it carefully, you will see that the phish points to a different domain. But this is easy to miss when the website looks just like the real thing. This screenshot shows an example of a phishing email falsely claiming to be from a real bank.  Customers of Sun Trust might well fall for this phish because the site looks comfortingly familiar, even though the URL is phony.

Heck, even the financial institutions themselves can’t always tell the difference. Equifax – rather famously – sent out a link to faked version of its own site via Twitter in the aftermath of the its breach reveal. Twice!

3b look alike websites
Roger Grimes/Thinkstock

Look-alike websites: The solution

Always inspect the link the email is asking you to click to make sure it points to the legitimate domain, or go directly to the legitimate web site without clicking on the email link.

4a nigerian scam
Roger Grimes/Thinkstock

Nigerian scams

Officially known as “advanced fee frauds”, this phishing lure known became known as Nigerian scams decades ago because Nigeria’s fraudsters seem to attempt them far more often than any other country – at least per capita.

You might laugh at the bad grammar and outrageous scenarios proposed and wonder, “What sane person would fall for that?” But those elements are an intentional filter. The average Nigerian scammer sends out millions of fraudulent emails a day. And most of them are blocked and dumped by email users or their antimalware software. But the average email user is not the fish this scam is trying to catch. This lure is designed to intentionally target more susceptible victims. For some people, the silliness and mistakes are simply not a deterrent. And that’s the prize this phisherman wants.

Incidentally, responding to a Nigerian scam letter has little to do with intelligence. Nobel prize winners, CFOs, doctors, engineers, and people across the entire spectrum of human intelligence have become victims of this scam.

4b nigerian scam
Roger Grimes/Thinkstock

Nigerian scams: The solution

If it’s too good to be true (and free, unexpected money is) then it’s fake.

5a go directly to jail
Roger Grimes/IDG

Go directly to jail

Phishers know you have a guilty conscience and use it to snare you. Even if the thing you feel guilty about is not illegal, you can often be tricked into worrying that you have been caught. And nothing motivates someone to respond immediately and with uncharacteristic foolishness than the threat of jail. Thus, in the United States, phishing scams that use fake FBI warnings for illegal music downloading or watching pornography lead the way. Fake threats from the IRS for tax return issues are also very successful. These lures often come over the phone — perhaps to heighten the sense of urgency.

If someone claiming to be the government is insisting you pay them money immediately, this second, to avoid some horrible consequences, it’s fake.

Some people pay though they know they didn’t cheat on their taxes, watch porn, or download music. They just want the warning to go away – it won’t! – or assume someone else in the household is the culprit. Unfortunately, the fake penalty warnings that come in via email often deliver ransomware, which will completely lock up your computer until you pay.

Related: IRS scams 2017: What you need to know now

5b go directly to jail
Roger Grimes/Thinkstock

"Government" threats: The solution

Calm down and examine the warning. Are there any real details about the illegal activity? Probably not. The scams never have details like that.

6a tech support scams
Roger Grimes/IDG

Tech support scams

Tech support phishing scams come in over email. You stumble upon them on the web. Or they might come in over the phone. Wherever you find them, they are very convincing.

Often, they claim to be from Microsoft (like the one shown). The email or website contains official-looking toll-free numbers. But that is easy to spoof. Fraudsters just buy an 800 number and set up an internet messaging service that routes its calls wherever they want.

If you call, the ‘technician’ will ask you to install remote access and troubleshooting software. Not surprisingly, he will find lots of malware and misconfigured settings and he will sell you a software program to clean up the problem. Now the scammers have your credit card number. The confusing part of this is that real technical support people do all these same things. The key difference is how they found you. Has a real tech support person ever offered help before you knew you had a problem?

Related: Listen to an actual Microsoft support scam as it happened

6b tech support scams
Roger Grimes/Thinkstock

Tech support scams: The solution

Call a knowledgeable friend in the IT field or look up the legitimate company’s number and call them to confirm.

7a seo trojans
Roger Grimes/IDG

SEO trojans

One very common phishing scam tricks you into installing malicious software directly from the web by showing up at the top of your search results. This lure is called Search Engine Optimization (SEO) poisoning.

It works like this: You are having a technical problem and decide, quite intelligently, that the problem is a buggy driver. Or maybe you got an error message and searched Google with its wording to decipher what’s wrong. These are good strategies. But once in a while, you end up at a site that looks official and promises a quick solution. All you have to do is install the software it offers. The problem is that, this time, the code is malicious.

In this screenshot, I searched on a non-existent error code. The search engine returned its best match, which includes sites that will gladly sell me “fix-it” software. In this case, I know I have nothing to fix. Some of the links in this example might not be – in the strictest sense – malicious. Some are merely what people who fix computers for a living call “pest” software.

7b seo trojans
Roger Grimes/Thinkstock

SEO trojans: The solution

Always go to the vendor’s website for technical support you can trust.

8a craigslist monehy scams
Roger Grimes/IDG

Craigslist money scams

Fraudsters adore hunting for prey in personal ads and auction sites. But, by far, their favorite fishing hole is Craigslist. This isn’t because these places are evil. It’s because people show up at them, willing to click on links and exchange personal data and money.

On Craigslist, money scams happen in a variety of ways. But the most common one happens when you go there to sell. To your delight, a buyer appears immediately, offers to pay your full price – and shipping! That was easy. But it gets even better. They very trustingly offer to overpay if you will use their independent, trusted intermediary to handle payment and shipping costs. For this, they offer an overly large check. They ask you to remove your portion and forward the remainder to their intermediary.

Two days later, your bank returns the check your buyer sent because it’s bogus. Now you are on the hook for the fraudulent funds you sent off to the intermediary. Don’t assume your bank verified the check when you deposited it. It doesn’t.

8b craigslist monehy scams
Roger Grimes/Thinkstock

Craigslist scams: The solution

Craigslist users should follow all of Craigslist’s advice for thwarting scammers. Nearly every sad story on Craigslist could have been prevented by reading and following this list of recommendations.

9a save a friend
Thinkstock

Save a friend

This is an old con that keeps morphing with the times. Before the internet, fraudsters who like this genre called your house after you left and told whoever answered that you were in a car accident or had been arrested and need money quickly.

Today this game plays out on Facebook or email – a deep pool, full of phish for con artists. The scammers hijack a Facebook account or use social media to glean the details that will sell their story to you. Then they ask for money to save the relative, friend, etc. from some horrible consequence only your money can prevent.

These scams peak around disasters. For example, during the recent hurricanes, scam artists popped up all around asking for money to help people hurt by the disaster. The scammers know you might be worried about anyone in the disaster area. And that people in disaster areas might be too busy to notice their Facebook account has been hijacked.

If you send the con artists money, they will ask for more. In fact, they will keep asking until you give up and, realize it’s a scam. This type of scam is especially malevolent because it typically preys on the elderly, exploiting their relationship with their grandchildren.

9b save a friend
Thinkstock

Save a friend scam: The solution

Never send money to save someone without talking to them first. Pick up the phone. And ask them to answer a question only the real person would know off the top of their head.

10a wire transfer scam
Roger Grimes/IDG

Wire transfer scams

Still think phishing scams only work on un-sophisticated people with no technical experience? Well, ask yourself this: How did the world’s savviest corporate officers fall prey for a sophisticated version of the wire-transfer scam? In these cases, instead of measuring the stolen loot in hundreds or thousands of dollars, the FBI measured it in millions.

Google and Facebook were taken for over 100 million when a scammer installed software in their accounting departments to study their typical transactions, spoofed one of their contractors, and invoiced for millions. (Both companies say they spotted the scam and, with the help of law enforcement, recouped the stolen funds.) Some of the biggest companies in the world have been tricked this way. (In 2016, $3 billion was stolen by fraudulent money transfer schemes involving businesses). Most of them never see the money again.

10b wire transfer scam
Roger Grimes/Thinkstock

Wire transfer scams: The solution

Institute control procedures to prevent fraudulent wire transfers, including never wiring money to brand new locations without first verifying the legitimacy of the request and location. Keep the computers involved with wire transfers isolated, off the internet and off the normal corporate network.

11a work mules
Thinkstock

Work mules

Here is a pond that scammers love to phish: Job hunters. They offer work on job sites and social media that look so much like legitimate work that people caught by this often don’t know they are being conned. Thousands of people believe their new job, that they found on the internet is real work. It is real work, in once sense: They get paid for it. It just isn’t legal work.

These “employees” are part of a money laundering circuit. The criminals ask their employees — AKA money mules — to withdraw the funds the criminals deposited in the mule’s bank account and send it somewhere else, while keeping a percentage for themselves. Sometimes they also pay a salary. Some ask the ‘employee’ to convert the money to Bitcoin first. And some ask the employee to do other work to make this seem like a real job. These scams sometimes target teenagers who may not understand what’s going on or are participating out of fear of reprisal from the criminals. In all cases, the money mules risk their own credit and criminal charges.

11b work mules
Thinkstock

Work mules: The solution

If your job consists of sitting around in your underwear for most of the day cashing other people’s checks for a minor fee and then sending along the rest, it’s probably a scam. If you think you are a mule, break off contact with the scammers and contact a lawyer. If you’ve laundered money, you’re in legal jeopardy.

12a phone forwarding scams
Thinkstock

Phone forwarding scams

If your business is customer facing, such as a pizza shop, hotel, or other company that takes credit cards over the phone, you are a particularly tasty fish for this scam. Your phone rings. Someone answers it. The scammer convinces your employee to dial a set of numbers, giving an elaborate ruse as to why. In fact, that number sequence forwards your phone to theirs. (Or they find a sneakier way to forward your phone line.)

Once they are billing calls to your line, you are scammed. And this can be very expensive. But they can also scam your customers by taking calls intended for your business and collecting customer credit card numbers for payment in advance.

12b phone forwarding scams
Thinkstock

Phone forwarding: The solution

If someone calls you and asks you to push buttons on your phone to assist with something, don’t.

13a sms phishing
Thinkstock

SMS phishing

There was a brief time in history when cell phones were safe from spam and phishing. That time is over. Now we all get both spam voice calls (i.e., vishing) and SMS phishing, or smishing. Phishing via SMS isn’t crafty or realistic. But somehow people still fall for it. Most often, this is a standard phish. If you respond to the link, you get prompted to install trojan software. More rarely, you may be prompted to call a number, and that starts a social engineering “vish.” One common version of this is a text that claims your credit card has been compromised. When you call, it asks you to enter that credit card number. Oops. Scammed.

Even though these are amateur hour in the world of phishing, they are successful because the victim didn’t expect a scam to come in this way.

13b sms phishing
Thinkstock

SMS phishing: The solution

If the SMS message wasn’t expected and doesn’t make sense, ignore or delete it.

14a swatting
Thinkstock

SWATting

This type of phishing is very dangerous. Of all the phishing scams out there, this one is most likely to result in loss of human life. In a SWATting attack, the perpetrator spoofs the victim's phone number and uses that to call law enforcement. On the phone with the police, they fake a dire emergency, one that will get a massive police response, something like a mass murder, kidnapping, or bombing.

The victim finds his house surrounded by an armed SWAT team ready to take out violent perpetrators.

SWATting occurs around the world, often concentrated on professionals in positions of power, who earned the scorn of someone who was banned from a forum or game.

Award winning investigative cyber reporter, Brian Krebs has had so many SWATting attacks called into his home that local law enforcement agencies call him first to confirm before responding. Though, of course, the first time it happened a SWAT team surrounded his house, armed with rifles and automatic weapons.

14b swatting
Thinkstock

SWATting: The solution

Today, most law enforcement agencies are highly aware of SWATting attacks and how to detect them. But Krebs alerted his local police, in advance of the first attack, that he was a likely target.