In early 2016, we published the blog article Your Ultimate Guide to Fending Off Phishing Attacks, as a resource for anyone seeking to safegaurd themselves against phishing techniques. However, as times change so do the nature of cyberthreats. Therefore, we've updated our guide to cover other emerging threats such as smishing, vishing and social media phishing. Keep reading and learn how to identify and avoid these latest phish hooks!
Phishing, Spear-Phishing & Whaling
Phishing is a broader term for any attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. The attacks themselves take on a wide variety of forms, and are often classified according to whom they target and how they are delivered. Some attacks are boradly directed toward masses of people, while others are purpose-built for a single indivdual.
An unspecialized message sent to a large number of people is typically classified as a "mass" phishing attack. These emails generally will not refer to a person by name, or include any specific details about the recipient. Although the generalized nature of the message makes them easier to spot, these attacks can still be quite sophisticated and effective.
In a spear phishing attack, a malicious hacker gathers detailed information about a specific individual, role, or organization, in order to target their victim more easily. By presenting believable details about his or her bank, favorite places, title at work, etc., the attacker increases the likelihood of success.
A whaling attack is a spear-phishing attack on a high-profile target, such as a high-level corporate executive. In this instance, a phisher might use fradulent documents, such as a fake subpeona, to get the victim's attention and drive them toward divulging priveleged company information. This website has several excellent real-world examples of interecepted whaling emails.
Phishing, Smishing & Vishing
Fraudsters send phony emails that appear to come from valid sources, in an attempt to trick users into revealing personal and financial information. Luckily, there are clues you can search for to quickly determine if an email is likely to be a phishing attack.
Email Phishing Red Flags
To be effective, a phisher must consistently fool recipients into clicking on a malicious link within the email. In general, people are much more apt to click on links from someone they know. Using public resources like Linkedin, phishers can easily determine the names of one's coworkers and titles. Using this information, it is relatively easy to create a message that appears to be from a legitimate sender.
Unsure if a message is legitimate? Simply reach out to that person over the phone (or any other medium) and determine if they actually sent the message.
Embedded Malicious Files
Carefully screen any emails that contain attachments. Skilled fraudsters can use virtually any file type (except .txt files) to inject malicious code into your computer or device. In general, only open attachments from email sources that you have verified as legitimate and absolutely trust. Take a look at this example which uses a malicious PDF file to collect login credentials from unsuspecting users.
Email spoofing is a forgery of an email header, created so that the message appears to have originated from someone or somewhere other than the original source. It is also possible to spoof links, as demonstrated in the graphic to the right. Not sure about a link? Hover your mouse over it to preview the URL it will direct you toward. If the preview text doesn't match the URL, don't click on the link.
Smishing: SMS-based Phishing
SMS, or Short Message Service, is the technical term for what we generally refer to as text-messaging. In a smishing attack, a fraudster sends phony texts in an attempt to con the recipient into divulging private information or infecting your phone with malware.
Smishing Red Flags
Non-Cell Phone or Unknown Numbers
Spoofing is not isolated to email, as smishers can also spoof phone numbers. Do not rely on Caller ID to verify the identity of the person on the other end of the text message. Unsure if a message is legit or not? Call the sender's number, or the customer support line of the organization the sender claims to represent.
Beware of links sent within text messages from unverified sources, as these can direct your phone toward malicious websites. As is the case with email addresses and cell phone numbers, these links can be "spoofed" to mask their true objective.
Whenever you receive an unsolicited message asking you to take some kind of action, that should serve as a red flag. In general, the legitimate businesses and organizations we interact with do not make important customer inquiries via text message. In these instances, the best course of action is to verify the legitimacy of the message via other channels. For example, suppose you receive a text message from a number that claims to be your bank, asking for your login information to correct an "error with your account". Your name is spelled correctly in the text, and for the most part, the message appears genuine. However, instead of responding to the text, call your bank instead and speak to a representative. THey will quickly determine if the message was legitimate. Finally, use this opportunity to notify the bank of the suspicious text.
2-Factor Authentication Spoofing
Commonly referred to as 2FA, 2-factor authentication is an authentication process in which the user provides two factors to confirm their identity, typically a password followed by a code sent to their cell phone.
Two-factor authentication makes it harder for attackers to gain access to a person's devices and online accounts, because knowing only the victim's password alone is insufficient to pass the authentication check. Unfortunately, some fraudsters have found ways to trick victims into revealing 2FA codes they have recieved, as demonstrated on the right. Never respond to unsolicited texts asking for personal or confidential information.
Vishing: Voice-based Phishing
Vishing (voice or VoIP phishing) is an electronic fraud tactic in which individuals are tricked into revealing critical financial or personal information to unauthorized entities over the phone.
Vishing Red Flags
As with email, personalized phishing calls are more convincing to would-be victims, and thus will be more effective for the fraudster. It's often standard practice for vishers to scan a victim's social media presence prior to calling them. They are searching for details that could help them leverage a victim into revealing valuable personal information. Remember, simply because an email contains your personal details does not mean it came from a legitimate sender.
Persuasive Phone Tactics/Fear Tactics
Never trust a caller who contacts you with threats and fear tactics. Unless you have verified the caller's identity and feel comfortable speaking to them, never reveal personal information to a stranger over the phone, at any time, for any reason.
"IRS Agent" Vishing Schemes
Cybercriminals love tax season! Every year, hundreds of people fall victim to vishers posing as IRS agents. Under the pretense of investigating the victim's tax returns, the visher attempts to extract financial information and/or cash from the victim.
Want more information on IRS vishing? Check our blog article on the topic from earlier this year. The IRS has also set up a page to relay information about fradulent IRS messages and how to identify and report them.
Social Media Phishing
Scammers have increasingly started to use social media as a platform to scam individuals of valuable personal information.
Social Media Phishing Red Flags
On social media sites, a key component of a successful phishing attack is already in place: Trust. Users receive messages from people or services they are familiar with (emails from a site’s support team, a known group, a friend, etc). Scammers play on that trust by contacting victims using replica profiles, even going so far as to imitate support agents. Do you have a message that seems out of character for the person supposedly sending it? Text or call your friend, and ask if they indeed sent the message.
How do you know when a support message is legit? Facebook has created a page to help users identify if a given support message is legitimate.
Look twice before clicking on any link in your social media feed. Ask yourself, do I know the poster? Is this content relevent to me? Are they asking for my personal information? These are all red flags to keep an eye out for when exploring links on social media.
6 Ways to Avoid Phishing Attacks
1. Learn to Identify Suspected Phishing Emails:
We've listed a few red flags below. Keep an eye out for these when reading your email:
- Requires urgent, immediate action be taken by the reader
- An unofficial “from” address—it may be similar to, but not exactly the same as, a company’s official email address
- Generic Greeting such as “dear customer” or “dear member”
- Spelling errors, poor grammar, or inferior graphics
- Requests for your personal information such as your password, Social Security number, or bank account or credit card number
2. Never email personal or financial information, even if you are close with the recipient
3. Do not click on links, downloads files, or open attachments from unknown email senders
4. Check pop-ups carefully:
- Is this simply a newsletter subscription box, or am I being asked to follow a link I don't recognize? Keep an eye out for the difference!
- Do not copy web addresses into your browser from pop-ups
5. Ensure your antivirus system is up to date
6. Check your online accounts and bank statements regularly for fraudulent activity
How To Report Phishing Emails to The FBI
If you suspect you have received a phishing email, forward the email to firstname.lastname@example.org (The Federal Trade Commission). Also forward it to the company, bank, or organization impersonated in the email. You can also report it to email@example.com. The Anti-Phishing Working Group—which includes ISPs, security vendors, financial institutions and law enforcement agencies—uses these reports to fight phishing. If you have unfortunately fallen prey to a phishing attack, file a report with the Federal Trade Commission at www.ftc.gov/complaint and visit the FTC’s Identity Theft website to find steps you can take to minimize your risk.
Stay off malicious hacker's cyber hooks by keeping a wary eye on your inbox and immediately deleting any suspicious emails before they can wreak havoc to your network.
What are your experiences with phishing attacks? What tactics, if any, do you use to avoid them? Comment in the section below.