This spooky image of a masked man fishing in a boat highlights our discussion topic: The top ten phishing nightmares from 2024 (so far!).

Top Ten Phishing Nightmares: The Haunting Realities of 2024 

With cyberattacks on the rise, and the nights growing darker, it’s time to regale in some tales of phishing nightmares. Phishing attacks evolved to strike businesses big and small throughout 2024, and as Cybersecurity Month coincides with Halloween,  we’re reflecting on a year’s worth of incidents, and what to learn from them.  

This spooky image of a smoky pumpkin jack-o-lantern highlights our discussion topic: The top ten phishing nightmares from 2024 (so far!).

From targeted scams to widespread campaigns honed with the latest AI innovations, phishing attacks catch executives off guard. They lure even the most tech-savvy teams astray, and overwhelm defenses with scale and sophistication. Learning more from this year’s phishing campaigns, successful or disastrous depending on how you look at them, helps you stay ahead of emerging trends and prepare for the next wave of attacks. 

1. Spooky CEO scams 

In 2024, email phishing took a sinister turn as cybercriminals doubled down on using AI to target chief executives. One shocking case involved the CEO of the world’s largest advertising firm, as reported by The Guardian. Scammers created a fake email address and WhatsApp account using a public image of the CEO. They used these assets in tandem to set up a Microsoft Teams meeting. During the call, they deployed a voice clone and manipulated YouTube footage to convincingly impersonate the executive to their inner team. Thankfully, the team unmasked this attack at the last second, pulling major financial losses back from the brink.

Phishing revolves around masking and coercion, like a twisted form of trick or treating. In the business world, cybercriminals mask their identities to cause real harm. Businesses must stay vigilant during the holiday season and beyond, learning from recent attacks and looking ahead to anticipate the next deceptive tactics. Tracking the rise of AI-generated content and dangerous domains helps us catch scammers impersonating brand leaders and high-profile targets. 

2. Phantom fake site phishing scams 

Cybercriminals exploit fake phishing websites to scam consumers, combining fraudulent luxury goods with advanced phishing tactics. They create lookalike domains that imitate legitimate brands, luring customers into trusting their sites and making purchases. This deceptive strategy surged throughout 2024, with thousands of fake shops popping up across the web. 

In just one case this year, scammers duped over 800,000 people in Europe and the US. Victims shared credit card details and personal information through deceptive fake shop networks. Many operate from China, setting up phishing emails and social media ads to direct victims to counterfeit sites. Once there, victims unknowingly provide sensitive data, believing they’re purchasing legitimate products. Pushing fake, dangerous goods, criminals steal personal details, jeopardize customer safety, and discredit legitimate brands.

3. Scary social media scams  

Imagine being approached by a LinkedIn sales rep offering a great deal, only to discover it’s a phishing scam. Cybercriminals set up fake accounts impersonating trusted brands or colleagues, luring victims with too-good-to-be-true deals. This tactic doesn’t just affect text-based platforms like X but extends to video channels like YouTube and TikTok. There, scammers impersonate influencers doctored clips. In 2024, a major cosmetics brand lost millions when a phishing campaign targeted its customers through deceptive Instagram outreach, and they’re not alone. 

This spooky image of a masked man at a computer highlights our discussion topic: The top ten phishing nightmares from 2024 (so far!).

During Halloween and beyond, cybercriminals thrive on this sense of trickery. Businesses must combat these threats by sweeping relevant social media channels for impersonations and attacks. Regular monitoring allows companies to identify and remove fake accounts quickly, safeguarding their brand reputation and protecting customers from scams. By catching and eliminating these threats early, organizations shield their brand reputation and protect customers from falling victim to these scams year-round. 

4. Creepy campaigns: Paid advertisement phishing 

Phishing attackers also leverage pay-per-click campaigns on platforms like Google ads to direct users to fraudulent websites. Cybercriminals create ads that pose as legitimate customer support or product pages, tricking unsuspecting users into handing over sensitive information. Many global companies report incidents of customers falling victim to these scams. In the UK alone, fraudsters stole £2.3 billion last year, doubling the amount lost in 2022. 

Research shows that platforms like Meta host multiple copycat ads impersonating major retailers, particularly during peak shopping seasons like Black Friday. Scam advertisements targeting well-known brands attempt to lure victims to bogus sites to extract payment details. Additionally, sponsored videos on YouTube and TikTok feature individuals offering unregulated investment advice. Fraudulent ads can even lead to fake news articles that misuse celebrity endorsements to promote dubious schemes. Despite community warnings, these ads often remain live, highlighting the ongoing challenges in combating ad phishing. 

Brands must remain vigilant in checking for content that impersonates their identity and threatens their customers. Regular monitoring of advertising platforms like Google, Meta, YouTube, and TikTok for unauthorized ads is crucial to swiftly identify and report these scams. Implementing proactive measures to educate customers about potential phishing risks also helps safeguard their interests. By fostering awareness and vigilance, brands can protect their reputation and ensure a safer online environment for their audience. 

5. Boo! Business Email Compromise (BEC)  

Business Email Compromise (BEC) wreaks havoc on businesses worldwide. Attackers gain access to executive email accounts and direct employees to wire company funds to fraudulent accounts. This year, a global tech company lost over $10 million due to a well-coordinated BEC phishing attack. The FBI also recently reported that BEC fraud ranked as the second most damaging type of internet crime, resulting in a staggering $2.9 billion in losses across various sectors. 

BEC scams often involve compromised vendor email accounts or phishing emails that steal the login information of individuals with access to company funds. In one alarming case, cybercriminals stole about $60 million from a leading supplier of carbon products after tricking an employee into making several wire transfers. To combat these threats, businesses must regularly check for phishing domains with active MX servers that impersonate their communications. Implementing strict verification processes for financial transactions and enhancing employee training on recognizing phishing attempts can significantly reduce the risk of falling victim to BEC attacks. 

6. Foreboding phishing as a service 

Phishing as a Service (PaaS) platforms effectively democratized complex attacks in recent years. Making potent technical toolkits accessible to anyone, including non-technical criminals, lowers the barriers to entry for the most sophisticated phishing techniques imaginable. Recent data highlights large-scale phishing kits targeting Fortune 500 companies, causing widespread damage and financial loss. 

One notable emerging platform, Mamba 2FA, focuses on Microsoft 365 accounts through Account Takeover via Man-in-the-Middle (AiTM) attacks. Cybercriminals can access Mamba 2FA for just $250 per month, making it one of the most competitive and rapidly growing phishing platforms. As PaaS platforms continue to evolve, businesses must remain vigilant and implement robust security measures to counter these emerging threats. 

This spooky image of a skeleton fish highlights our discussion topic: The top ten phishing nightmares from 2024 (so far!).

7. Diabolical deepfakes 

Deepfake technology presents a chilling challenge for businesses, enabling cybercriminals to create convincing dupes of a company’s most trusted allies. In a recent case, attackers tricked one finance worker into authorizing a $25 million payment after a deepfake impersonated the company’s chief financial officer during a video call. 

To combat these emerging threats, businesses must implement robust facial recognition systems and monitor brand-related content across digital channels. By employing AI-driven tools that detect discrepancies in visual identity and verify communications, companies can proactively identify and eliminate phishing threats, protecting their assets and reputation from malicious deepfake schemes. 

8. Cryptic customer support phishing 

Cybercriminals exploit online platforms by creating fraudulent customer support channels, including deceptive ads on popular search engines. Victims seeking assistance often find themselves sharing personal and financial information, leading to significant data theft. Recently, a leading global electronics company reported millions in losses due to such scams. 

According to recent reporting, fraudsters impersonate airline customer service representatives on social media platforms, targeting unsuspecting customers. These scam accounts request sensitive information like phone numbers and booking references. Once they catch a target’s eye, their messages direct victims to phishing sites that harvest card details. Businesses must actively monitor for fake support channels and implement verification processes to authenticate customer interactions. 

9. Harvesting horrors: Phishing attacks steal credentials 

This year, we also witnessed a spike in attackers stealing and weaponizing login credentials. Attackers create convincing fake login pages for popular business tools like Microsoft 365 and Slack, then sell their winnings online. Recently, a prominent law firm reported a breach where cybercriminals harvested employee credentials and sold them on the dark web. Modern attackers also start with stolen details, then use those details to build a whole new campaign. In the UK, malicious actors also targeted a firm that connects ambulance drivers with the NHS. Buying login details that floated around on the internet unchanged for years, hackers exploit these credentials to bring a vital, life-or-death service to its knees.

Other examples include the state-backed hacker group APT28, which recently launched credential-harvesting campaigns across Europe. The group utilizes malware to exploit login vulnerabilities. Recent law enforcement efforts disrupted a botnet associated with APT28, which targeted high-profile entities. Their targets included the Ukrainian Ministry of Defence and European railway infrastructure. This situation highlights the escalating threat posed by sophisticated phishing operations. 

10. Cursed content Phishing  

Content phishing attacks evolved throughout 2024, infiltrating blog posts, fake customer service portals, and cloned websites. Cybercriminals now mimic major e-commerce platforms, leading unsuspecting customers to phishing pages disguised as legitimate services. This tactic exploits user trust, as victims often believe they are interacting with genuine brands. 

This spooky image of two hands reaching up over a cliff next to the sea highlights our discussion topic: The top ten phishing nightmares from 2024 (so far!).

These deceptive strategies threaten businesses and consumers alike, making it imperative for brands to stay vigilant. Digital Risk Protection platforms help combat content phishing, sweeping the web for terms that match your brand. By searching, detecting, and eliminating threats, you’ll catch content phishers in the act. By monitoring online content, these platforms can identify fraudulent websites and posts before they deceive potential customers. Protecting brand reputation also safeguards customer data against increasingly sophisticated phishing schemes. 

Conclusion 

As we’ve learned, phishing attacks have grown more dangerous and costly in 2024. Cybercriminals complexified their tactics, combining everything from paid Instagram ads to deepfaked CEOs. Going forward, brands face attacks from all relevant platforms, including Google and Meta channels, emails, Teams calls, and more. These wide-ranging, eerie threats demand comprehensive solutions. Shine a light on your threat landscape this festive season with a free brand audit, and see what’s behind the mask. Don’t let phishing threats haunt your business—partner with experts to stay one step ahead. 

Want to turn insights into actions?

Reach out to the team, and get the conversation started

Uncover Digital Threats

Get a tailored audit of your digital landscape - fill out the form and connect with an expert today!

EBRAND

Client login

Welcome to the client login portal, where EBRAND users access their solution platforms. Select your solution below:

Not an EBRAND client yet? Sign up
Discover more on our Solutions pages