Phishing, Spear-Phishing, and Scams—Oh My!

We have enough going on in our lives, we don’t need to let cybercriminals get the better of us. In this month’s blog we will look at phishing (pronounced ‘fishing’), Spear-Phishing, and scams—what they are and how you can overcome them.

Phishing

Phishing is a cybercrime in which a target (or targets) is contacted by email, telephone, or text message by someone posing as a legitimate institution to lure the individual into providing sensitive data such as personal information, banking or credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss. Other than email and website phishing, there’s also ‘vishing’ (voice phishing), ‘smishing’ (SMS or Text Phishing) and several other phishing techniques cybercriminals are constantly coming up with.

Common Features of Phishing Emails:

• Too Good to Be True: Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, they claim that you have won an iPhone, a lottery, or some other lavish prize. Just don’t click on any suspicious emails. Remember that if it seems too good to be true, it probably is!
• Sense of Urgency: A favorite tactic amongst cybercriminals is to ask you to act fast because the super deals are only for a limited time. Some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails, it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than click a link in an email.
• Hyperlinks: A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with a misspelling, for instance www.bankofarnerica.com – the ‘m’ is actually an ‘r’ and an ‘n’, so look carefully.
• Attachments: If you see an attachment in an email you weren’t expecting or that doesn’t make sense, don’t open it! They often contain payloads like ransomware or other viruses. The only file type that is always safe to click on is a .txt file.
• Unusual Sender: Whether it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character, or just suspicious in general, don’t click on it!

Prevent Phishing Attacks:

Though hackers are constantly coming up with new techniques, there are some things that you can do to protect yourself and your organization:

• To protect against spam mails, spam filters can be used. Generally, the filters assess the origin of the message, the software used to send the message, and the appearance of the message to determine if it’s spam. Occasionally, spam filters may even block emails from legitimate sources, so it isn’t always 100% accurate.
• The browser settings should be changed to prevent fraudulent websites from opening. Browsers keep a list of fake websites and when you try to access the website, the address is blocked or an alert message is shown. The settings of the browser should only allow reliable websites to open up.
• Many websites require users to enter login information while the user image is displayed. This type of system may be open to security attacks. One way to ensure security is to change passwords on a regular basis, and never use the same password for multiple accounts. It’s also a good idea for websites to use a CAPTCHA system for added security.
• Changes in browsing habits are required to prevent phishing. If verification is required, always contact the company personally before entering any details online.
• If there is a link in an email, hover over the URL first to see the actual address the link is taking you too. If it looks odd or strange, it probably is.

Generally, emails sent by cybercriminals are masked so they appear to be sent by a business whose services are used by the recipient. A bank will not ask for personal information via email or suspend your account if you do not update your personal details within a certain period of time. Most banks and financial institutions also usually provide an account number or other personal details within the email, which ensures it’s coming from a reliable source.

Spear-Phishing

Spear-phishing is a targeted attempt to steal sensitive information such as account credentials or financial information from a specific victim, often for malicious reasons. This is achieved by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequent, and what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity to acquire sensitive information, typically through email or other online messaging. This is the most successful form of acquiring confidential information on the internet, accounting for 91% of attacks.

Spear-Phishing Vs. Phishing

Spear-phishing can easily be confused with phishing because they are both online attacks on users that aim to acquire confidential information. Phishing is a broader term for any attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. Unlike spear-phishing attacks, phishing attacks are not personalized to their victims, and are usually sent to masses of people at the same time. Spear-phishing on the other hand requires more thought and time to achieve than phishing. Spear-phishing attackers try to obtain as much personal information about their victims as possible to make the emails that they send look legitimate and to increase their chance of fooling recipients. Because of the personal level of these emails, it is more difficult to identify spear-phishing attacks than to identify phishing attacks conducted on a large scale. This is why spear-phishing attacks are becoming more prevalent.

How does spear-phishing work?

The act of spear-phishing may sound simple, but spear-phishing emails have improved within the past few years and are now extremely difficult to detect without prior knowledge on spear-phishing protection. Spear-phishing attackers target victims who put personal information on the internet. They might view individual profiles while scanning a social networking site. From a profile, they will be able to find a person’s email address, friends list, geographic location, and any posts about new gadgets that were recently purchased. With all of this information, the attacker would be able to act as a friend or a familiar entity and send a convincing but fraudulent message to their target.

To increase success rates, these messages often contain urgent explanations on why they need sensitive information. Victims are asked to open a malicious attachment or click on a link that takes them to a spoofed website where they are asked to provide passwords, account numbers, PINs, and access codes. An attacker posing as a friend might ask for usernames and passwords for various websites, such as Facebook, so that they would be able to access posted photos. In reality, the attackers will use that password, or variations of it, to access different websites that have confidential information such as credit card details or Social Security Numbers. Once criminals have gathered enough sensitive information, they can access bank accounts or even create a new identity using their victim’s information. Spear-phishing can also trick people into downloading malware or malicious codes after people click on links or open attachments provided in messages.

Tips to Avoid A Spear-Phishing Attack:

• Watch what personal information you post on the internet: Look at your online profiles. How much personal information is available for potential attackers to view? If there is anything that you do not want a potential scammer to see, do not post it – or at the very minimum make sure that you’ve configured privacy settings to limit what others can see.
• Have smart passwords: Do not just use one password or variations of passwords for every account that you own. Reusing passwords or password variations means that if an attacker has access to one of your passwords, they effectively have access to all of your accounts. Every password that you have should be different from the rest – passwords with random phrases, numbers, and letters are the most secure. A Password Manager is useful for this.
• Frequently update your software: If your software provider notifies you that there is a new update, do it right away. The majority of software systems include security software updates that should help to protect you from common attacks. Where possible, enable automatic software updates.
• Do not click links in emails: If an organization, such as your bank, sends you a link, launch your browser and go directly to the bank’s site instead of clicking on the link itself. You can also check the destination of a link by hovering your mouse over it. If the URL does not match the link’s anchor text or the email’s stated destination, there is a good chance that it could be malicious. Many spear-phishing attackers will try to obscure the link destinations by using anchor text that looks like a legitimate URL.
• Use logic when opening emails: If you get an email from a “friend” asking for personal information including your password, carefully check to see if their email address is one that you have seen them use in the past. Real businesses will not send you an email asking for your username or password. Your best bet would be to contact that “friend” or business outside of email, or visit the business’ official website to see if they were the party who actually contacted you.

Remember that Spear-Phishing is specific and may be trying to attack things like your personal bank account, your IRA, or other financial accounts, or may try to target you if you are in an important position within a business or organization such as CFO of a major corporation.

Scams

Internet scams continue to evolve, and can vary widely. The term generally refers to someone using internet services or software to defraud or take advantage of victims, typically for financial gain. Cybercriminals may contact potential victims through personal or work email accounts, social networking sites, dating apps, or other methods in an attempt to obtain financial or other valuable personal information. Many successful internet scams have similar endings: victims either lose their money or fail to receive funds the fraudster promised. And yes, Phishing and Spear-Phishing are two types of scams.

Criminals have devised dozens of ways to deceive victims through the internet. Here are some of the most common types of scams.

Romance Scam

Online dating can be a good way to connect with potential romantic partners, but cybercriminals have started using this method in an attempt to defraud unsuspecting victims. Here’s how the scam works:

The fraudster usually strikes up a conversation on an online dating site and begins an online relationship — but always comes up with reasons why he or she can’t meet up in person. Once the fraudster has gained the victim’s trust, they’ll ask for money or details about the victim’s financial life. Once you give them the money or financial information—poof!—they are gone and you may be left with a broken heart and an empty wallet.

What to do? If you start an online relationship with someone, help protect yourself by asking a lot of questions. Take the relationship slowly and never give financial information or money to someone you don’t know personally.

The Overpayment Scam

The transaction might seem legitimate at first. Someone responds to your online advertisement and arranges to pay for an item you’re selling.  But the buyer invents a reason for sending you much more than the purchase price, then asks you to wire back the difference before the money clears your bank account. After you’ve paid back the difference, it becomes clear the transferred money was fake — and you’ve lost the cash you gave the scammer. Be cautious. If someone sends you a lot more money than you’re owed, it may be a scam. Don’t refund any money until the transfer is in your account. If you’re truly suspicious, you can also cancel the whole transaction and report this issue to the platform where you’ve listed the online advertisement.

Quick-Money Promise

This scam might start out as a phone call, LinkedIn message, or unsolicited email that advertises a job requiring little to no real work, but offering lots of fast cash. Criminals who practice this scam often target people looking for a new job or wanting to work from home. But once you secure the job, you’re asked to fill out routine paperwork to provide your Social Security number, address, and bank information, seemingly for direct deposit of your paycheck. The fraudsters can use this personal information to access your financial accounts. But wait there’s more! In some cases, you may unknowingly take part in a money-laundering scheme in your new role. The lesson? When job hunting, use well-known, reputable job sites, research the employer, and avoid applying for positions that seem too good to be true.

Facebook Impersonation Scam

Facebook users may sometimes encounter scams. In one of the more recent examples, a fraudster copies the name, profile picture, and basic information from a real account to create a second, nearly identical account on Facebook. Next, the scammer sends friend requests to the original account’s friend list in an attempt to access the personal information of an unsuspecting friend. If you get a friend request from someone who should already be on your friend list, search for their account. If you find two nearly identical accounts, it’s likely a sign that one of the accounts is fake. Report the cloned account to Facebook, and consider alerting your friend in real life or on the phone so it’s clear who you’re talking to.

Tip: In cases where you believe your account has been hacked, first change your password or contact Facebook to investigate.

Fake Shopping Websites

Using sophisticated designs and layouts, cyberthieves may create and publish fake websites that either look genuine or that replicate existing retailer websites. The bogus shopping sites might offer deals that are too good to be true, for instance, you might find popular brands of clothing and expensive electronics at extra-low prices. And what if you buy? You may either receive the item and find out it’s fake, or you may receive nothing at all. If you think you’ve found a fake shopping website, don’t spend money there. Instead, report the website to the FBI’s Internet Crime Complaint Center.

Unexpected Prize Scam

This type of scam falls under the phishing category. The email may claim you’ve won a large chunk of cash, like you supposedly won the lottery in another country, a free trip to an exotic destination, or some other fantastic prize. In order to claim your trip or winnings, the message will say, you only need to pay a small fee or fees.  After you pay those fees, you never hear from the organization again. Some travel scams may actually send you to the destination, but they’ve hidden a lot of important expenses such as visa fees, transportation costs, or meals. The old adage applies: if something seems too good to be true, it probably is. Don’t respond to the message. If you’re looking to plan a vacation, shop local and small and find a reputable travel agent in your community. If you want to plan yourself online, use one of the reputable and well-known online travel sites.

One variation of the Unexpected Prize Scam is the Bill Gates Scam. The Bill & Melinda Gates Foundation is a well-known, legitimate charity founded by Microsoft creator Bill Gates and his wife. It does not give random grants to people. However, since 2015 a scam based on that premise has been victimizing people. Sometimes potential victims of this scam are targeted through emails; other times, through Facebook messages. As with many similar scams, when someone responds to the email or social media post, they are told that they need to pay a fee in order to receive their prize. Bill Gates didn’t become as wealthy as he is by giving his money away to strangers, and the Bill and Melinda Gates Foundation has specific procedures one must follow when applying for grant money.

The Nigerian Letter Scam

In this scam—perhaps one of the longest-running internet frauds—you’ll receive an emotional message from someone claiming to be an official government employee, businessman, or member of an abundantly wealthy foreign family, asking you to help them retrieve a large sum of money from an overseas bank. In exchange, the person promises to give you some of the money. They may even produce fake paperwork that makes the deal look legitimate. It’s best to ignore these messages or report them to the FBI’s Internet Crime Complaint Center.

One variation on this is the “long-lost relative” where you are contacted by a person claiming to be the attorney or barrister (a British attorney) for a person who was wealthy and passed away. According to the scammer, you just happen to be the long-lost heir to the family fortune, and for a small fee this person will help you get your inheritance. Unless you know that you had a wealthy great uncle who passed away and you are in fact heir to his fortune, avoid falling for this scam.

One more variation is the “sad sack soldier” (sailor, marine, or airman) who is deployed overseas and can’t afford to support his or her family back home. However, there are family support organizations in every branch of the U.S. Military to help in situations like this. Additionally, you are better off giving your money to the USO than falling for this scam. Plus, your donation to the USO is a 100% tax-deductible charitable contribution. A win-win.

Extortion or Threat or “Hitman” Scam

In another type of scam, the cybercriminal may threaten to embarrass or injure you or a family member unless a ransom is paid. The scammer may have gathered details about your life from social media profiles, which could make the claim seem more legitimate or urgent. If you receive one of these messages, report it to the FBI’s Internet Crime Complaint Center and your local law enforcement.

Malware and Ransomware Scams

For cybercriminals, the first step in several types of scams is installing malware — short for “malicious software” — on a victim’s device. How? Criminals have a variety of ways to do this. For instance, the perpetrator may send you a pop-up message for fake antivirus software, a link to a news article, or an email that looks like it’s from your bank. Clicking on the message or the embedded link triggers the installation of malware, which can be designed to scan your device for personal and banking information, log your keystrokes, lock you out of your device, access your webcam, and even destroy your files in the process.

Ransomware is a related form of malware that is delivered through phishing emails. Once the malware is installed on a device, the victim’s files are encrypted, and the cybercriminal demands a ransom payment, typically in a virtual currency such as bitcoin. The criminal promises to release the victim’s files once the money is received, but often that doesn’t happen or is like mob “protection” where you have to pay them regularly to keep your computer running.

The Tech Support Online Scam

These types of scams can be related to or stem from malware infections. Fraudsters use urgent pop-up messages or fake online ads to promote software services.  When you contact them, they’ll say you have a serious problem with your computer and will offer tech support services you don’t need, because the problem doesn’t exist. They may also install malware on your device to gain access to your financial details. You may be able to tell it’s a scam from the company’s choice of payment methods. For example, money sent via wire transfer, loaded onto gift cards or prepaid cards, or transferred through an app like PayPal is hard to reverse.

If the company seems suspicious and only takes these types of payments, don’t do business with them and consider reporting the company to the FBI’s Internet Crime Complaint Center.

IRS Scam

Last, but not least, is the IRS Tax Scam. Remember, the IRS and state and local tax authorities will not call you or contact you by email. All correspondence will come in the form of a written document sent via the US Postal Service. The IRS and state and local tax authorities will not demand payment for taxes in the form of gift cards like Apple iTunes cards, bitcoin, or wire transfers. If you get an email, phone call, or text message from someone claiming to be from the IRS or your state or local tax authority, feel free to hang up on them, delete the email or text message, and block the number.

Summing it all up!

The number one thing you can do to protect yourself from Phishing, Spear-Phishing, and Scams—oh my!—is to use common sense. Does it sound legitimate? Is it too good to be true? Did I go to England and play the lottery there? Let me go to Paypal.com directly and see if they need me to change anything. Do I even have an account with that bank? What’s a better way to help this person? Why do they want me to go and get gift cards to pay them? Is this really Bob’s or Sally’s email address, and do they usually write like that? Are Mark and Janet really on vacation in Europe? Didn’t I just see them at the store yesterday? Wait, that’s not my anti-virus software showing me I have virus.

Take a moment to stop and think and ask yourself these and similar questions. If the answer is “no”, then ignore, delete, block, and report. We have enough going on in our lives—don’t let cybercriminals get the best of you!