Blog
Recent
Security Tips

Effortless Phishing Protection: How to Take Charge and Stay Ahead of These Five New Scams

Shireen StephensonPublishedOctober 11, 2021UpdatedJuly 30, 2025

You’ve heard it all: too-good-to-be-true tax refund emails, celebrity-endorsed offers for free, expensive cookware, and fake remote job offers

That would be phishing, part of a trillion-dollar cybercrime wave that came from humble beginnings.  

How did phishing start?

Some of the earliest hackers were known as phreaks who spent considerable time hacking phone systems. Their goal? To explore the technical aspects of telecom systems and make free long-distance calls. Many early phishers had this background in phreaking.

Thus, the “ph” in “phishing” combines “phreaking” and “fishing” to describe “fishing” for victims by luring them with digital bait. The use of “ph” is a direct homage to phreaker culture.

 

The first true phishing attacks appeared in the mid-1990s on America Online (AOL). Hackers, who were once phreakers, posed as AOL staff and used programs like AOHell to trick users into revealing passwords.

 

Combined with randomly generated credit card numbers, the passwords were used to open fraudulent AOL accounts and spam other users.

 

Both phreaking and phishing share a culture of social engineering – manipulating human behavior to access confidential data, financial assets, or system privileges.

Today, we’re going to pull back the curtain on the newest phishing scams (you’ll be ambushed by #3 when you least expect it), ways to stay safe, and how LastPass makes phishing protection effortless. Let’s start with a scam that’s tripping even the most cautious among us. 

#1 When you call “Netflix”: The new face of fake tech support 

Instead of setting up fake websites, attackers are now manipulating search engine ads to display their own phony customer service numbers. 

What makes this scam so easy to miss is that you’re never asked to trust a seedy-looking site or email link.  

Instead, the attackers leverage your trust in the world’s biggest brands (such as Apple, Netflix, Bank of America, Hewlett Packard, Facebook, and Microsoft) to get you to lower your guard. 

What you’re looking at is a search parameter injection attack and here’s how it works: When you Google “24/7 Netflix support,” the top result displays the brand URL. Clicking on it takes you to the actual corporate website. 

However, a phony support number is pre-populated in the search bar on the support page. And in the address bar, you’ll see suspicious characters like %20 and %2B next to a fraudulent number.  

If you call that number, you’ll connect to scammers asking for your login credentials and bank account number. 

Remember:

  • The success of search parameter injection attacks stems from websites failing to validate data appearing in URLs. So, if you see excessive %20 and %2B encoding next to a phone number in a URL, it’s a red flag. Whatever you do, don’t call the number you see. 
  • Don’t trust search results for contact numbers. Go directly to the company’s website (use the URL listed on monthly statements or official brochures). You can also connect via the official mobile app. 
  • Look for .bank in the URL instead of .com. A .bank in the URL is a visual cue of legitimacy: Only banks can deploy this URL, and it’s one that can’t be spoofed. 
  • Cross-reference any phone numbers with previous bills or trusted sources. 
  • A legitimate customer support agent will never ask for your passwords, credit card number, or other sensitive info.  

#2 School of hard knocks: How one email cost a school district $1.8 million 

This scam began with a phishing email sent to Broken Bow Public Schools in Nebraska. From all appearances, the email came from a trusted vendor who delivered services for a high school remodeling project.  

It included normal payment instructions and appeared credible. The attackers had clearly researched their target, including enough information about the project to bypass suspicion.  

Following the instructions, the staff made an ACH transfer in the amount of $1.8 million to the scammers. 

Although Broken Bow officials worked with the FBI, Nebraska State Patrol, and the U.S. Secret Service to recover nearly $700,000 of the stolen funds, the school is still grappling with a loss of $1.1 million. 

Remember:

  • The scam succeeded because staff had no safeguards or verification procedures in place for wire transfers. 
  • Broken Bow officials were able to recover a portion of the funds because the incident was reported quickly. A clear, easy-to-follow reporting policy allows for prompt communications with law enforcement, resulting in a quicker response. 
  • According to a study by KnowBe4, the average phish-prone percentage (PPP) or the rate at which employees fall for phishing scams is reduced by 86% after just 12 months of phishing awareness training. 

#3 Delete now or pay later: Inside the new DMV scam flooding phones across America 

If you’re one of 243 million licensed drivers in the U.S., you may be a target of this heartless scam. 

Here’s how it works: Scammers send urgent text messages warning about unpaid tolls, fines, or traffic violations.  

The messages threaten harsh penalties, such as suspension of your driver’s license, cancellation of your vehicle registration, a negative impact on your credit score, and even jail time – unless you pay up within a stated deadline. 

A link to a fake website is usually included, which you’re asked to enter into a browser. Some versions of the scam claim you can even “skip the line” to obtain a REAL ID, if you just submit your personal info and make a payment. 

In reality, all REAL ID applications must be made in-person at official DMV facilities.  

Remember: 

  • Never click on any links or respond to any texts or emails claiming to be from the DMV, especially regarding fines or demands for personal information. 
  • You’ll only get texts from the DMV if you sign up to get reminders for license or registration renewals. 
  • If in doubt, independently verify any claims directly with your local DMV office. Use official contact methods, not the numbers provided in the message. 

#4 Sky-high hopes, zero gain: The “passive profits” trap targeting your wallet 

If you’ve heard the buzz about digital asset investments like cloud mining, you may be drawn to the prospect of easy, premium gains. 

After all, what’s not to like about “earning money while you sleep”? 

But before you sign up, here’s the brutal truth: The probability of being scammed by such a digital asset platform is nearly 100%. 

In other words, the only thing these platforms are mining is your wallet. With cloud mining, you’re renting “mining equipment” or computational power from a third-party provider. The payoff for you is a share of any digital assets that are successfully mined (without you having to do any of the work). 

Like scam investments in “AI development,” you’re promised abnormally high returns. Many of these investments are actually Ponzi schemes, where your initial “returns” are funded entirely by unsuspecting new investors.  

Remember:

  • Investments involving securities must be registered with the SEC or state securities regulators. If you can’t verify registration, it’s almost certainly a scam. 
  • Real digital asset investment platforms will display clear contact info, registration, verifiable infrastructure, and any listing on public stock exchanges. 
  • Legitimate operations will never require withdrawal fees or taxes to access your funds. 
  • Testimonials from "investment gurus" on social media platforms like Telegram, Instagram, or WhatsApp are designed to manufacture excitement. Be wary of them, especially if they offer “guaranteed profits” with minimal or no risk. 

#5 Morphing Meerkat: The phishing kit that can identify your email provider and slip past your defenses 

Imagine getting an email that looks like it came from your email provider, bank, or even your favorite ecommerce site. 

The language, logo, and branding match everything you know about your favorite brand. You see no reason to be suspicious.  

But this is exactly what Morphing Meerkat scammers want you to think. 

Here’s how this scam works: Morphing Meerkat is a phishing-as-a-service kit that does something no other phishing kit has ever attempted: Use public DNS MX (mail exchange) records to determine who your email provider is.  

Once it has this information, it dynamically generates a fake login page, which will look identical to that of your provider. Currently, Morphing Meerkat can mimic the login pages of more than 114 email and service providers. 

And that’s not all. The phishing kit can also localize login pages in dozens of languages. So, whether you’re in Seoul or San Francisco, the login page will appear credible.  

This phishing attack starts with an email sporting an urgent subject line like “Action Required: Account Deactivation.”  

The intent is to pressure you to act quickly. If you click on the link in the email, you’ll be redirected to the fake login page. 

There, your email address will already be pre-filled. All you have to do is enter your password. The kit may even display an error message after your first login attempt, such as “Invalid password. Please enter the correct password.”  

The goal is to get you to re-enter your password so the attackers can confirm they have the right credentials. 

Once you do so, your password is sent to a server controlled by the attackers. The phishing kit will then re-direct you to the actual login page to preserve the illusion of legitimacy. 

Remember:

  • Never click on any link in an “urgent” email. Go directly to the actual website to verify the claims of the email.  
  • Enabling multi-factor authentication adds an extra layer of defense, preventing scammers from accessing your accounts even if they manage to steal your credentials.  
  • Using strong, unique passwords for every account is the easiest security upgrade you can make to protect your privacy, finances, and peace of mind.  

Get phishing protection for life with LastPass, a 2025 G2 Summer Report secure access provider  

You can’t spot every scam, but LastPass can be a valuable ally in your fight against phishing.  

With LastPass, you get: 

  • Military-grade AES-256 encryption: Banks. The U.S. Army. The NSA. All use AES-256 encryption. In fact, the NSA has approved AES-256 for protecting classified information up to the Top-Secret level.  What this means for you is confidence that your most sensitive information is locked away under security so strong, it’s virtually impossible for hackers to breach. 
  • Secure autofill: Our autofill works only on legitimate sites. This means your login credentials will never be entered on phishing sites, keeping you safe from phishing kits like Morphing Meerkat. 
  • 24/7 Dark Web Monitoring: LastPass works even when you sleep. If your email addresses are found compromised, you’ll get instant alerts. What this means for you is early warnings that let you act fast before identity thieves strike. 

But don’t take our word for it. See what our happy customers have to say: 

 

Ease of Use, Ease of Implementation, Ease of Integration. It is easy to input new passwords, cards, and other pertinent information for use on a daily basis. The cost is so affordable. It's very easy to integrate into browsers, and mobile devices are unmatched. Definitely would recommend 10/10. Has been my companion and friend in this digital age of uncertainty and where security is everything (David T, healthcare systems administrator)

It securely stores my passwords for the sites I visit. I love that it can autofill the username and password when I visit a site. Additionally, I like [the fact] that it generates strong passwords for me. It can also store passkeys and other sensitive information, such as credit cards and social security numbers. The app is very easy to use. (Lara K, senior manager of web development).

To enjoy award-winning phishing protection and greater peace of mind today, get your 30-day free trial of LastPass Premium now.  

Streamline and secure your digital life
  • Access passwords anywhere, anytime
  • Generate unique, strong passwords
  • Autofill and share with one click
  • Backed by expert threat intelligence
Try Premium free
key visual
Share this post via:share on linkedinshare on xshare on facebooksend an email
bg
Subscribe for the latest from LastPass blog

By subscribing, you agree to receive marketing communications regarding industry news and research, educational resources, and LastPass products and services. The processing of your personal data in accordance with the LastPass Privacy Policy. You can unsubscribe from marketing communications at any time.