It’s not just you. Scams have always been rampant since early days of the Internet, but they’ve exploded in the last several years.
E-scams are vast, varied and constantly adapting to the security measures that professionals and everyday people put into place to protect themselves. One of the most enduring and common ways that scammers attempt to con people is with phishing. It’s pronounced as fishing, although sadly this version involves identity theft rather than peaceful summer outings and trips on the lake.
Phishing, for the uninitiated, is the term that describes an immensely widespread type of social engineering where scammers and hackers attempt to gain access to users’ private accounts and devices through impersonation. Phishing scammers will impersonate a trusted friend or loved one, or impersonate legitimate companies, and will commonly ask you for usernames and passwords, or for you to initiate a type of connection that allows access to your personal accounts and data.
If you take a look at your E-mail spam folder right now, the odds are you’ll see at least a few suspicious E-mails in broken English claiming to be from major tech companies such as Apple, PayPal or Coinbase claiming that “your account has been compromised” and to “click on the link to reset your password.” These links are malicious and the end goal by attackers is to install viruses, malware or backdoors on your devices or hijack your accounts. At that point attackers are free to pilfer your money, personal information, or hold the accounts or devices for ransom.
In a nutshell this is the simplest form of a phishing attack and it’s comparable to a Trojan horse. Part of what makes it almost impossible to safeguard fully against is that phishing targets human error rather than actual system or software vulnerabilities. All it takes is one slip-up or one oversight by the person being targeted before they realize something is amiss for the attack to be successful.
Phishing happens to be one of the most widespread and mass-produced type of cyberattacks in the world. From the perspective of a scammer, devoid of any sense of ethics, morality or care for legality, there’s a cold, cynical logic to it. These types of attacks are incredibly easy to replicate, distribute and attempt on millions of people, especially in an era of automation and AI. Nowhere is this more evident than the scope and scale of phishing attacks, which have exploded in the last decade.
The numbers tell the story: Over 3.4 billion spam E-mails are sent every day and Google blocks around 100 million phishing E-mails per day. Funnily enough, Millennials and Gen Z are most likely to fall victim to phishing attacks – but before Baby Boomers start smirking, this is not a generational issue. If anything, scammers have gotten extremely skilled tailoring phishing attacks to different “target audiences.” So for example, Baby Boomers are more likely to receive an E-mail purporting to be a cute photo from their grandkids, while young Gen Z targets might be more likely to get an E-mail encouraging them to click through to a “contest” for free concert tickets.
It can be a deeply humiliating, mortifying, and stressful experience when an attack is successful. Fixing the damage is expensive, scary, and involves a ton of time and stress. Even when your systems blunt any kind of attack (even if it’s as simple as scam E-mails being sent to your junk folder) it can be a deeply unsettling and vulnerable feeling to know that your Internet activity is actively being preyed upon like this.
It’s why this recent blog post from Matt Mullenweg caught my eye. Matt Mullenweg is the founder of web software company Automattic and one of the co-founders of its chief product, WordPress. That would be the same WordPress that powers more than 40% of the entire Internet and has become the standard for web publishing. As a result, Matt is a public figure in Internet tech and a widely read voice online in web industry circles.
The blog post itself is Matt’s accounting of how he was targeted by a very sophisticated phishing scam. As he retells it, the initial stages of the attack were the scammers spamming password resets on his Apple account. That’s a fairly basic technique on its own despite how worrying it can be, but the phishing attempt became much more elaborate:
What made the attack impressive was the next move: The scammers actually contacted Apple Support themselves, pretending to be me, and opened a real case claiming I’d lost my phone and needed to update my number. That generated a real case ID, and triggered real Apple emails to my inbox, properly signed, from Apple’s actual servers. These were legitimate; no filter on earth could have caught them.
This was then followed up by an actual call from a scammer masquerading as someone from Apple support, seemingly to address the scammers who contacted Apple Support pretending to be Matt, where he was directed to a replica of Apple’s website with a the fatal phishing link. Matt caught onto the scam, at which point the scammer hung up without another word.
Matt’s full blog post is worth a read, and he also helpfully provided a video which includes the audio of the full call with the Apple support rep imposter, which I’d strongly encourage listening to. What struck me was how calm, professional and knowledgeable the scammer seemed on the phone – something Matt notes in his own article.
There are some good takeaways here. The important thing to note is that phishing scams are rarely this elaborate or sophisticated when it comes to targeting everyday people. Matt Mullenweg is a tech leader who founded the most widely used CMS platform on the Internet, and for scammers, there’s a cost benefit analysis. This sort of sophisticated trap just isn’t worth attempting on anyone but high profile business leaders, celebrities, politicians, or people who could have access to lots of sensitive or valuable data. This why the phishing E-mails you receive tend to be the ones in broken English that are so slapdash that they’re often stopped at the edge by Google’s spam filter.
It’s also a reminder that none of us are alone here. As scary as it can be even when targeted by even a rudimentary scam being attempted on millions of other people, everyone is a potential target. There’s nothing embarrassing about being targeted or even initially wondering if a scam could be legitimate. These scams are designed to trigger impulsive reactions such as feeding you the idea that your system or E-mail is somehow compromised. The old classic “Call this number to get this virus on your PC removed” isn’t just for show – it’s one of the most basic methods of provoking a panicked response to make someone hand over their information to a scammer.
Scams are a big business whether you’re a high value target or not. The FTC reported losses to fraud amounting to $12.5 billion in 2024 alone – a spike from the previous year. One memorable story in the New York Times documented how scammers will even go as far as calling their targets “clients”, as bizarre and warped as that sounds. It’s an entire shadow economy that operates in the dark corners of the Internet, and the important thing to remember is how to protect yourself.
Matt provided some good specific points in his blog post. Some more general points to remember:
Install two-factor authentication on everything. There are scams that target multi-factor authentication but it remains a critical defensive line against scams. Yes, it can be irritating – but the alternative is much worse.
Companies will never, ever ask you for your passwords. This is universal policy among companies and businesses. If anyone asks for a password or for you to input one, it’s a scam.
Check the E-mail sender. You’d be surprised at just how many very convincing E-mails from Microsoft or PayPal are actually random Hotmail or Yahoo E-mail addresses.
Get a second opinion. If you’re even slightly suspicious, run it by a trusted person or even a vendor. My clients frequently ask me about suspicious messages they’ve gotten – I always thank them for this when I point out scams.
Prevention is the best medicine, and knowledge is power. So take care of yourself, stay vigilant, and always be safe online.