Affiliated with:

Most Popular Phishing Scams

image 20

With cyber-crime on the rise and sophistication levels escalating, educating people against the most common attacks (phishing, vishing, etc.) is essential.

Introduction

Phishing is a technique that is used to get confidential data from individuals and companies into the hands of criminals with the purpose of extracting money, cloning identities, and ruining reputations. Here are the five most common types to be vigilant against, for individuals and enterprise data management organizations.

Vishing

With the vast amount of data available over social media, it is simple for cyber-criminals to gather information about individuals and be very convincing. Vishing occurs when a potential victim receives a phone call from a source that sounds credible, and the extortionist attempts to get confidential information from the target, or directs them to a web site where the criminal organization can do this. Usually, the criminal claims to represent a bank or government organization.

Many calls will originate from countries where the victim does not reside, so the cyber-criminals will use Voice-To-Text technology or a recorded message to disguise their origins. Some criminal organisations use real people in the target countries, which make the calls even more convincing. The goal is to steal money from individuals and businesses, which they do by trying to get the quarry to reveal their passwords, security numbers, bank details, credit card codes and other sensitive data. Vishers are clever and manipulative, and can spoof official phone numbers that look convincing when the number appears on the call list.

It’s not only individuals who are being targeted by vishers, companies are falling for this more often as the spoils are far greater for the scammers.

Victims should become more aware of vishing, and never give out confidential details over the phone. Organizations should have clear policies for data security and sensitive data should be restricted from access.

Smishing

Smishing is a form of cyber-attack where the prey will receive a text message designed to harvest personal data from them to steal money or hijack their identity. These messages may look very convincing and might even forge an official looking sender name. Normally, the message will direct the victim to click on a link.

Examples of powerful SMSishing scams:

  • The victim has won a prize, usually a major amount of money or an item of real value
  • The victim’s account has been disabled or is about to expire – this will appear to be from their mobile phone provider, bank, broadband company etc.
  • The victim has received a rebate from the tax office
  • A text from a desperate friend who needs cash immediately – this can be very compelling as the victim will want to help their friend
  • A message thanking the victim for their order

Advice to potential targets is: DO NOT tap on the link. Delete the text message immediately without interacting with the message in any way.

If the victim is worried or has concerns based on the message, they should look up an official contact number for the organization and contact them directly. Do not use any of the information in the message since it will not be legitimate. The organization will reassure them that they don’t need to take any action. The business might even thank the victim for making them aware of the scam.

Spear Phishing

One of the most dangerous types of Phishing attacks is Spear Phishing. Rather than sending out millions of random emails, cyber-criminals thoroughly research their quarry, knowing their intended victim.

The scammers conduct a complete investigation into the victim’s social profile. They’ll find information about the potential victim that the person did not realize existed on the internet. And when the cyber-criminals send out the targeted email, it will be even more difficult to detect the message as fraudulent.

Experts advise that people should perform an online search for themselves to find out what information is in the public domain. They should do this from an Incognito Browser session, otherwise the results won’t be accurate.

Once the person has discovered what information is publicly available, then they should devise a plan to reduce the amount of personal data that accessible to others.

Before becoming a victim, each individual should examine their privacy settings on all their social media platforms, being careful to set the maximum privacy constraints for sensitive data protection. Everyone should also be aware of who they are connecting with and what information their contacts can see, share, etc.

People should be careful what they post about online too, to avoid becoming a victim of common crime. As an example, many people always post pictures of themselves on a vacation / holiday trip. This is the best way to advertise to thieves that a house is empty and available for burglary. In addition, the knowledge of the holiday vacation gives the cyber-criminal information to use in SMSishing and vishing activities.

Remedies to reduce spear phishing include reducing the amount of information posted on social media, keeping sensitive data private, and stripping back all social media profiles to the minimum.

Whaling

Who is the biggest target in a company for cyber-criminals? Is it the cleaning staff? No. Is it the sales people? No. The person who is the biggest prize and catch for any hacker is a chief; one who has a C at the start of their three letter title… CEO, CFO, CIO, etc.

It makes sense that any chief executive would have access to the most sensitive data in the company. That they would have information about bank accounts, expense accounts, credit cards and much more. A CEO’s knowledge is dangerous if it falls into the wrong hands.

And yet, there seems to be huge resistance to implementing security measures for VIPs in many organizations, and many executives shun training.  Many IT teams fear that the imposition of increased security will inconvenience highly powered individuals and will result in some form of punishment for the data security or data governance program. This fear is formalized when an organization relaxes standards or limits policies after receiving complaints from leaders about access controls or other data / IT security measures.

Cyber-Security can be inconvenient and a bit frustrating.  For example, two-factor authentication requires a user to enter a pin number on a phone as well as typing a user name and password to access an online system.

But cybercrime is on the rise. Criminals continue to employ sophisticated methods in their attacks, and their success rate is sky-rocketing, according to many statistics. C-suite members are vulnerable to phising, vishing, SMSishing, and other attacks – at a level called “whaling”.

Influential executives should demand to be included in the latest data and technology security implementations, after the testing phase has been completed. Every executive should support the data management program, and data and IT security teams in their mission to protect the organization from unauthorized access.

Search Engine Phishing

Search Engine Phishing is a reasonably new and successful way of scamming money and confidential data from unsuspecting shoppers.

In Search Engine Phishing, a cyber-criminal creates a legitimate looking online store offering amazing deals. These stores are retrieved through Google and the other search engines to be found on a normal results page. These false sites are very convincing, so victims shop there, and are robbed, their identities are hacked, and their reputations are ruined if they fall into the trap.

To identify a false site, look for these clues:

  • Any site offering amazingly cheap deals or free giveaways should be avoided
  • Banks offering impossibly low interest rates should ring alarm bells
  • A job opportunity that sounds incredible
  • Web sites telling the victim that their computer has been infected and they need to download the latest fix from the scammer’s site
  • Web site with misspellings in the URL or the content

Conclusion

With the rise of all forms of cyber-crime, everyone should be suspicious: if it seems too good to be true, it normally is. A common piece of advice from cyber-security professionals, “People should do their research – make sure any web sites they use are legitimate by checking them out thoroughly before they use them. Do not click on links in email messages.”

LinkedIn
Facebook
Twitter

Paul Bedford

Paul Bedford is passionate about Cyber Security and Business Analysis and has been involved in the worldwide rollout of a Security Improvement Program for Burberry. Paul has had extensive experience in Business Analysis with major corporations such as HSBC Commercial Banking, NPower Energy, NFU Mutual, HMRC, Shell, Barclays and many more. This means he has seen all types of IT problems businesses have experienced over the last 30 years.

Paul has written daily Cyber Security posts on LinkedIn which often exceed 5,000 views and trend on the platform, as his growing number of followers can attest. Paul provides speaking and consultation services on Cyber Security and Business Analysis, and currently is studying to become a Certified Information Systems Security Professional (CISSP).

Paul completed a Bachelor’s Degree in Computer Science at Birmingham University (UK) and learned about prehistoric machines that were bigger than a mountain, but less powerful than a mobile phone. This inspired his adventures in IT.

© Since 1997 to the present – Enterprise Warehousing Solutions, Inc. (EWSolutions). All Rights Reserved

Subscribe To DMU

Be the first to hear about articles, tips, and opportunities for improving your data management career.