We’ve all seen those emails pushing amazing offers that seem too good to be true, dire warnings that your computer has been compromised, or even threats of jail time if you don’t pay your back taxes right away.
Those are all common pitches from online scammers trying to get you to panic and click on a link you shouldn’t, hand over money or personal information, or download an attachment that turns out to be a computer virus.
But new research shows that those common pitches may have just become too common to be effective, leading more cybercriminals to take a different approach.
Kendall McKay, strategic lead for cyber threat intelligence at Cisco’s Talos division, says that for a long time, phishing emails featured attention-grabbing subject lines that included phrases like “urgent request” or “payment overdue,” but many of the phishing emails spotted by Cisco’s systems last year included relatively benign subject line terms like “request,” “forward” and “report.”
“They probably know that we’ve caught on to this and the tricky, sensational email isn’t going to work anymore,” McKay said. “So they’ve moved towards these benign words, which are likely to show up in your inbox every day.”
The analysis of phishing email subject lines was included as part of Cisco’s Year in Review report, which looked at the threats the company’s customers faced in 2024.
McKay, one of the report’s authors, said that while email phishing may seem dated in an age of artificial intelligence and other advanced technologies, cybercriminals keep doing it because it works.
Whether they’re going after one of the world’s biggest companies or just an everyday person, the attackers continue to impersonate well-known consumer brands, hoping they’ll get as many people as possible to bite.
Some of the brands most impersonated in phishing emails blocked by Cisco’s systems last year include Microsoft Outlook, which by itself accounted for 25% of the total, along with LinkedIn, Amazon, PayPal, Apple and Shein, according to the Talos report.
Admittedly, while that’s not exactly breaking news these days, McKay says she thinks it’s still important to talk about. Phishing remains a significant threat, she says, especially when it’s supercharged by AI tools that allow attackers to efficiently craft scam emails that are more sophisticated and at a larger scale than ever before.
“Phishing is still prominent, phishing is effective, and phishing is only getting better and better, especially with AI,” McKay said.
What does phishing look like?
Emails, texts and social media posts that you didn’t ask for. If a person or a company reaches out to you and you didn’t contact them first, you should probably ignore it. It doesn’t matter if it’s an email saying that your Windows subscription has expired, a text from your bank saying that your account has been compromised or a post on Instagram pushing a great deal on designer sunglasses.
Scammers are targeting the unemployed. Don’t click on any links or download any attachments. Instead, go straight to the bank or company’s website. If a “recruiter” reaches out to you, only send your personal information to the company you’re applying to. Any unsolicited job offer that looks too good to be true should be treated as such.
Requests for payment in gift cards or cryptocurrency are red flags. These are the preferred ways of payment for cybercriminals, because they largely can’t be traced and can be liquidated easily. The IRS, for example, won’t take payment for alleged back taxes in either of these forms. On a related note, the IRS also won’t contact you by email, text or phone. They work exclusively by snail mail.
Digital declarations of love. Romance scams accounted for $384 million in reported losses in the first nine months of 2024, the most recent figures available, according to the Federal Trade Commission. The email might come from a woman who says she’s trying to escape the war in Ukraine or a guy serving in the military who just thinks you’re cute. Regardless, if they can’t meet you in real life for whatever reason, be very skeptical. The same goes for if they ask for gift cards or crypto.
Charity scams are a thing, too. Like romance scams, these scammers are looking to take advantage of people with big hearts. They’ll say they’re looking for donations to help victims of the latest natural disaster or war or to support what looks like a legitimate aid organization. Donate only to verified and established charity groups. Go straight to their websites or connect to them through a trusted source.
How can I protect myself if I think I’ve been phished?
Use good antivirus software and update everything. A big part of antivirus software’s mission is to filter out spam and scam emails and stop malware that might be attached to them. But AV can’t stop threats it doesn’t know about, so make sure that yours is updated constantly to stay on top of all the new ones. Meanwhile, updating your devices’ operating systems and apps will fix bugs that cybercriminals could potentially exploit.
Great passwords are a must. If your email account gets compromised, it could be used to swindle your contacts out of their money or identities. It also could be used to help reset the password for your financial and other super-sensitive accounts. As a rule, passwords should be long (at least 12 characters) and unique (password123 is always a bad idea). Resist the temptation to reuse them, even if you think they’re really good. If juggling that many complex passwords feels too challenging, password managers can help.
Two-factor authentication is a no-brainer. Even the best passwords can be cracked. Two-factor authentication will go a long way toward protecting you if that happens. It requires a second form of authentication like a biometric indicator, push notification sent to your phone or the connection of a physical key, in addition to your password. But avoid the SMS text version of this. While it’s rare, phones can be SIM swapped, allowing cybercriminals to intercept those texted codes.
Think about a credit freeze. If you think that your Social Security number or other super-private details have been compromised, freezing your credit will prevent cybercriminals from taking out loans in your name or otherwise using that information for identity theft. Some security experts recommend freezing the credit of children until they need to use it since identity theft committed against them can often go unnoticed.
