It’s that time of year when anglers take to the waters and cast their lines in hopes of hooking bass, salmon, and other savory fish. While spring and fall are peak times for sport fishing, there’s a different kind of “phishing” that’s always in season.
Phishing is when someone uses fake emails or texts (even phone calls) to lure you to share valuable personal information, such as your Social Security number, your login IDs and passwords, or bank account numbers. Scammers are phishing for this information to pilfer your money, your identity – or both. In some cases, they may even use this information to gain access to your, phone, computer, or network. They hook you when you click on a link in one of these emails or texts, which enables them to install ransomware or other malicious programs designed to steal your personal information. These nefarious actors will often use familiar or seemingly legitimate names or pretend to be someone you know, and will pressure you to act immediately to avoid an alleged negative outcome if you fail to follow through.
The most dangerous mindset is thinking that it can’t happen to you or that you would most certainly recognize a scam. Earlier this year, 10,000 Microsoft users were targeted in a phishing campaign. Emails were sent out to intended victims purporting to be from FedEx, DHL Express, and other shippers containing links to phishing pages hosted on legitimate domains. The phishers were after recipients’ work email credentials. By using legitimate domains, the emails were able to evade security filters. The high success rate of these emails were contributed in part to the fact that so many people have come to rely on delivery services during the pandemic. Scammers prey on the vulnerability of people during a crisis.
There are Three Types of Common Attack Methods
PHISHING – Hackers send out legitimate-looking emails that contain a link to a spoof website, or an attachment with malware or malicious code included. These attacks have been around for quite some time. Originally targeting individuals, the attacks have gotten more sophisticated and now commonly target companies to gain network access, launch malware and ransomware attacks, and aim directly at C-level executives.
SPEAR PHISHING – Spear phishing is a more targeted and customized attack. The bad guys will do a little research and find out specific information about the target. It may be from the company website, social media, financial reports, or industry sources. Using that information, they will customize an email to make it appear more legitimate.
WHALING – Whaling is a form of a more sophisticated form of spear phishing aimed at corporate CEOs, CFOs, and other high-level executives. Because of their status, if these executives take the bait they are considered the Big Fish or “Whales.” Criminals can generally net a bigger catch from these victims.
Phishing is a booming business for hackers. According to a recent Forbes article, Google reported a record 2.1 million phishing sites in 2020 (an increase of nearly 25% from 2019). Even more staggering is that Google has been proactively blocking over 18 million phishing emails each day since the start of the Covid-19 pandemic. Security firm PhishLabs reports that social media has emerged as one of the fastest growing attack vectors, rising 47% in the first six months of 2021.
This year-round online sport has evolved to what security researchers refer to as “Deep Sea Phishing” – which is the use of a combination of techniques to cast more aggressive lures. Cybercriminals and organized crime groups have adopted various pandemic-themed bait for phishing and they are taking advantage of the cybersecurity chaos that has followed the rapid transition to remote working and learning.
Even more alarming is the growing use of disinformation and deepfakes in phishing expeditions. Deepfakes use deep learning artificial intelligence to replace the likeness of one person with another in video and other digital media. Deepfake technology can be used to create fake news and misleading, counterfeit videos. There have been reported uses of deepfakes being used by cybercriminals to produce the voice of CEOs requesting payments to be sent to an attacker’s account.
Don’t Get Hooked
There is a popular Russian proverb that was adopted as a signature phrase by former President Ronald Reagan that anyone who uses the internet should follow: Trust, But Verify. At one time or another (or more than once), you have forgotten a password and requested a link to reset it. But if you receive one of these requests without initiating it yourself, there’s a good chance it’s not legitimate. The same applies if you receive an email asking for personal or login information out of the blue. A healthy degree of caution and skepticism is necessary today when navigating the world wide web to avoid getting hooked by phishers.
If you’ve ever been to the beach you may have come across warning flags that are posted by many coastal communities to warn beachgoers when there are dangerous surfing, swimming, or high/low tide warnings. Red flags are used to warn people about the highest degree of danger. Following are some red flags you can look for to avoid being lured and hooked by a phishing scam:
- Email address is different or looks off: If you’re getting an email from someone claiming to be someone you know, but the address is different from what you have on file or looks like it doesn’t make sense, that’s a good indication that this person isn’t who they say they are.
- The message is unexpected and unsolicited. If you suddenly receive an email from an entity or a person you rarely deal with, consider this email suspect.
- There’s a request for personal information such as social security numbers or bank or financial information. Official communications won’t generally request personal information from you in the form of an email.
- Strange tone or incorrect grammar: If the sender is someone you know and are usually friendly with, but the tone of the email is formal or otherwise off, it’s a red flag. The same goes for grammatical and typographical errors, especially if the person is usually diligent about their writing.
- The web address is misspelled or different from where you usually go: Phony websites that are linked directly from an email might look authentic but will have a different URL than the website you usually visit when you log in.
- Unsecure connection: Most web browsers will warn you if a website’s link is unsecure, but an easy way to tell for yourself is to look for “https” at the beginning of the URL. If you only see “http,” you’re not on a secure site.
When you receive an email or text message that you weren’t expecting, particularly from what appears to be your financial institution, contact the institution or business directly by phone to verify if the emails or texts were in fact sent from them.
When fishing in deep waters, sportsmen wear a safety vest to prevent drowning. When navigating the murky waters of the world wide web and sharing your personal data, bring a safety net of awareness and caution – and beware of phishers!