Phishing – It’s No Longer About Malware

With Christmas fast approaching, expect to see an increase in the number of Phishing attacks.  Here are some of the most common phishing trends we are seeing.

Modalities

Traditionally phishing was done through email. However, we have seen a dramatic shift where messaging technologies are also being used, to include Apple iMessage, WhatsApp, and standard SMS functionality. Texting has become increasing popular, as many phones lack any type of filtering capability, which means the scams and attacks are far more likely to get through. Also, since text messages tend to be much shorter with little context, it’s much harder to confirm what is legitimate versus what is an attack.

Goals

The goal with phishing attacks traditionally was for people to install malware on their computer.  In today’s world we are seeing three different goals of phishing attacks:

  • Passwords: One of the top goals we’re seeing is to get people to click on a link that takes them to a website that harvests their passwords. Once an individual’s credentials are stolen, cyber attackers can cause a great deal of damage while operating undetected.
  • Phone: An increasing number of phishing attacks do not have a link but phone number as their point of attack. The cyber attacker’s goal is to get the victim to call a phone number. Once the victim is on the phone, cyber attackers will use stories and emotion to pressure people into taking actions, such as giving up their passwords, purchasing gift cards, or transferring money from their bank accounts to accounts controlled by the attacker. Attackers have learned that while these attacks can take a great deal more work, seeing as they are not automated, they can be far more successful and profitable, as they can fool people out of their checking, savings, or retirement accounts, stealing their entire life savings.
  • Scams: Many phishing emails have no link or attachment. Instead, the messages are often very short and impersonate someone that the victim knows or trusts, such as their boss, a co-worker or a company with which they work or shop.

 

Common phishing indicators

We do not recommend that you try to learn about every different type of phishing attack and every lure possible. Instead, focus on the most commonly shared indicators and clues of an attack.

They are common in almost every phishing attack, regardless of whether it’s via email or messaging. The most common indicators include:

  • Urgency: Any email or message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.  Take this to your senior family members too.  Their children are safe, they haven’t been in a car wreck or arrested.
  • Pressure: Any email or message that pressures an employee to ignore or bypass company policies and procedures..
  • Curiosity: Any email or message that generates a tremendous amount of curiosity or is too good to be true, such as an undelivered UPS package or you are receiving an Amazon refund.
  • Tone: An email or message that appears to be coming from a coworker or friend, but the wording does not sound like them, or the overall tone or signature is wrong.
  • Generic: An email coming from a trusted organization but uses a generic salutation such as “Dear Customer.” Or “Dear” with your email.   If FedEx or Apple has a package for you, they will know your name.
  • Personal Email Address: Any email that appears to come from a legitimate organization, vendor or co-worker, but is using a personal email address like @gmail.com.  This doesn’t always apply as I’m guilty of periodically sending from a personal address when I meant to use my business address so go back to the other indicators. 

With artificial intelligence apps being used write a lot of the new emails, the old methods of searching for spelling mistakes no longer are valid.  As well, since many of the messages are via text, few legitimate companies even use their full domain name but use shortened urls so that indicator also fails.

Bottom line, if you didn’t order a package, don’t click a link claiming you are getting a refund, a delivery request, etc.  Use a second method to followup with a message received if in doubt.  Ie, if it wasn’t expected, assume the worst and call to confirm.  The even applies to people you know.  They may have been compromised. 

Remember the basics, urgency and pressure are the two most common tactics.  NEVER give a credit card or get gift cards to resolve an issue of someone reaching out to you. 

Finallly, if you’d like more info, fill in the form below

Stay safe and have a safe enjoyable holiday

Dave Bour
Desktop Solution Center