By Venkat Krishnapur, Vice President of Engineering and Managing Director, McAfee India
Making its debut sometime back in 1995, phishing is one of the oldest tricks up a hacker’s sleeve, and yet, one of the most effective. Fast forward to 2020, phishing scams have reached a level of sophistication that are mind boggling, relentlessly cunning, with evil genius personified.
What‘s the success behind this tact? Targeting the weakest link in the network – the loophole that exists in the man machine conundrum. One might perceive that the latest Twitter hack was engineered by a tech mastermind like Hugh Jackman from ‘Swordfish’. Might come to you as a surprise that it was just another case of a co-ordinated attack,socially-engineered by people, who used internal resources such as employees with access to sensitive data.
In its simplest of form, phishing is an email, an SMS, a malicious link, a social media post or any form of communication designed to pique user interest to reveal confidential information. There was a time when phishing attempts were relatively easy to spot due to link misspellings, odd redirects, and other tell-tale signs. While this is true even today, tactics,tools and techniques have become increasingly more personalized, innovative, and shrouded in clever disguises.
So, how can one spot phishing lures? It is not all rocket science. In fact, you would be surprised how a little common sense and awareness online can avert a major digital catastrophe.
Let us breakdown the various facades cybercriminals don for phishing scams –
1. The link look-alike
A digital twin of email phishing, link manipulation is when a cybercriminal sends authentic looking links to malicious websites under the guise of an urgent request or deadline. The scammer creates a fraudulent site and after a user clicks on the deceptive link, they are asked to input or verify their personal details. The art of deception is the most common technique that fraudsters use.They make minute changes to the link or create short links that are not easy to spot.
Vigilance is key.Searching for key words using known search tools and then clicking on the links is safer. Also hovering over the link and checking the spellings, domains and so on before clicking sometimes help. Using tools that detect malicious links and warn users even before they click on them are highly recommended. In any case, it is important to ensure you don’t click on unsolicited e-mails as a basic thumb rule to stay safe.
2. Focus and spear target
Some schemes are a gamble — the hacker sends out mass emails to a random distribution list, hoping for a catch. Others are highly targeted and involve gathering information about specific, high value personalities. Spear phishing begins by cyberstalking a select individual and collecting data on their whereabouts through their digital footprint. They present information in the right manner, that looks trustworthy enough to click through. These are the hardest to spot, especially, because they are designed to come from people you know. Fraudsters create the content after a lot of research into your habits, interests and so on. In these situations, the clues lie in actions that are expected from you that are never expected under normal circumstances.
3. The bait hides the hook
Compelling headlines and pop-ups known as ‘clickbait’, entice readers with content that is too hard to resist. However, the actual content behind it turns out to be fallacious. After clicking, the link takes you to sites that could contain malicious code including ransomware, viruses or trojans. Resist clicking on links that are too good to be true. Remember, there is never a free lunch.
4. Gone whaling
Corporate bigwigs have always been a target of choice for a variety of reasons. Phishing that targets them is termed – Whaling. In this sophisticated, personalized attack, a cybercriminal attempts to manipulate the target to obtain money, trade secrets, or corporate information. Many large companies have fallen victim due to cybercriminals impersonating the C-suite, asking lower level employees for sensitive corporate information. Always check what action is being asked from you and whether it is normal to get such an e-mail in the first place. The key point is alertness at all times. In the virtual world, this is the first online behaviour one should practice.
5. That SMS alert could be a Smishing alert
As the name suggests, SMS phishing, or ‘smishing’ is a form of phishing that capitalizes on SMS or text messages to perpetrate crime. These lure users into clicking on malicious links by sending text messages that appear to come from legitimate sources. These could be disguised as free coupons – ‘50% off your next order’ or free tickets to a movie. Ultimately, these are designed to arouse user interest, leading them to click on the link. Again, alertness is key. Do not fall for anything that is too good to be true.
6. Wish that’s not a Vishing call
With new technologies, come new avenues for scammers to obtain personal data. Vishing, or voice phishing, is one of those. In a vishing attempt, cybercriminals contact users over phone, claiming to be banking or law enforcement representatives – and try to obtain personal or financial information. Scammers use Voice over Internet Protocol (VoIP) technology and spoof the caller ID to make itseem from a legitimate source, encouraging users to hand out sensitive information. Unsolicited calls or e-mails at any time should be ignored. If any information such as your bank account details, passwords, OTPs orANY Personally Identifiable Information is being asked, it should set your alarm bells ringing.No bank or authority will call you directly for such information. Never divulge information to any unconfirmed source as a general principle.
Phishing comes in all shapes and sizes. It is successful because it capitalizes on human sentiment. Our inherent psychology makes us quick to act based on emotion. These hoaxes essentially prey on the hOS or the human Operating System. In the digital world adopt a – Stop,Think, Connect mindset. Once you understand how it works, you are better positioned to recognize and avoid falling victim to such ruses. We all think ‘this will never happen to me’ only until, someday it does.
If you have an interesting article / experience / case study to share, please get in touch with us at [email protected]