6 phishing schemes to watch out for - a16z crypto

Security expert Matt Gleason from a16z crypto examines six sophisticated phishing attacks that target individuals and organizations through deceptive tactics.

Phishing remains the most common cyberattack, with criminals using increasingly sophisticated methods to steal personal information, passwords, and financial data. These attacks exploit trust in familiar services, social engineering tactics, and emerging technologies like AI to deceive victims. From fake Google security alerts to malicious job recruitment schemes, attackers are constantly evolving their techniques to bypass traditional security measures.

• Google alert scams use fake investigation notices hosted on legitimate Google subdomains to harvest login credentials
• Poison ad campaigns place malicious advertisements in search results that redirect users to fraudulent login pages
• Recruitment fraud involves fake job interviews that install malware through coding challenges or hire malicious actors as employees
• Email thread hijacking tricks users into sending money by replacing legitimate recipients with fraudulent accounts mid-conversation

The article emphasizes that passkeys provide the strongest defense against credential theft, as they use cryptographic signatures tied to specific domains. Additional protection strategies include using separate devices for untrusted software, carefully vetting job candidates, always verifying email addresses before taking financial actions, and sanity-checking AI outputs to prevent prompt injection attacks.