In part 2 of our Cyber Criminal Attack Strategies, we take a deep dive on the most common methods used by cyber criminals to gain access to sensitive data or funds.

Urgent Requests

Phishers aren’t afraid to use psychology to their advantage. These criminals know that impersonating an individual or organization and urging immediate action can be incredibly persuasive. Often, these types of attacks threaten loss, punishment or added risk.

People are more likely to respond to phishing attempts if emails appear to be pressing or if the victim believes they are in some sort of trouble. Common examples of this type of fakery include, but are not limited to, messages from angry bosses, late credit notices, cancelled memberships, compromised accounts, missed package deliveries and missing rent checks.

Emails like these may also appear as unsolicited requests to confirm account information or unexpected password reset requests, sometimes using your name in the body copy for added validity. The verbiage of these messages is often stern and will attempt to persuade victims to open attachments or reveal sensitive information.

When you get emails like these, it’s a good idea to follow up with the sender using a method other than email. For emails from companies, you should call the customer service number listed on an organization’s official website. During your conversation, ask if you were meant to receive the initial email.

Unexpected Refunds, Payments and Contests

The allure of free money and gifts is difficult to resist, and phishers know this. It is not uncommon for phishing emails to bait victims with the promise of refunds, bank account adjustments or tax refunds. In broader phishing attacks, spammers may even claim you have won or are eligible for a contest or prize. Unsolicited emails of this kind are usually a dead giveaway for phishing schemes.

In 2017, cyber criminals acting as the Canada Revenue Agency sent spam emails during tax season. These emails promised huge returns (some nearly $1,000) and were designed to trick users into clicking on a link to “transfer” the funds via a legitimate service—Interac. Experts noted that the emails were very convincing and included copies of the Bank of Montreal and Interac logos.

A good rule of thumb to keep in mind to avoid becoming the victim of these kinds of scams is to think before you respond. Chances are if you receive a message relating to a contest you didn’t sign up for or money transfers that seem out of place, the messages are fake.


Vishing is a form of phishing that uses phone systems and similar technologies. Users may receive an email, phone message or text (usually called smishing) that encourages them to call a phone number to correct some discrepancy.

Typically, attackers use a technique called caller ID spoofing to make the calls appear like they are coming from a legitimate phone number. If a victim calls a number in a vishing scam, an automated recording prompts them to provide detailed information, including credit card numbers, birth dates and addresses.

A pair of Romanian hackers were recently charged with scamming victims out of $18 million in an elaborate vishing and smishing scam. To carry out the scam, the hackers installed interactive voice response (IVR) software on remote computers. These computers then initiated thousands of automated telephone calls and text messages. 

The calls and messages appeared to come from a reputable financial institution, instructing victims to call a telephone number due to an account problem. When the victim called the number, they were prompted by the IVR software to enter their bank account numbers, PINs and other personal information.

To avoid falling for a vishing scam, never click links in a text message or respond to automated phone calls. Unless you were the one who initiated the call with a trusted source (e.g., calling a known customer service number or reaching out to a bank using the number listed on their website), you should never share personal information over the phone. If you ever feel uncomfortable with the questions someone is asking you over the phone, tell them. If it’s a genuine company, they should be able to provide different methods for contacting them, including setting up an in-person meeting at a legitimate place of business.


In case you missed part 1, keep reading to see our previous post on additional Cyber Criminal Attack Strategies.

Need help identifying phishing attacks? For an overview of its dangers and characteristics, download our FREE Phishing Attacks: A Cyber Security Guide for Employers & Individuals!