Modern Phishing Methods
Written by Pauline Johnson
As we mentioned in the last blog (and if you haven’t read that one, start there! *link to blog), there are many different types of phishing attacks. Most of us are familiar with Spear Phishing, email phishing, Domain spoofing, Man-in-the-middle (MITM) attacks, and Social Media phishing. But today, we are featuring more types of phishing to watch out for, along with some best practices to counter each method.
HTTPS-Give up credentials to a malicious website
A bad actor sends an email with a malicious link inside. The link seems legitimate — it may look like a link to your bank, and you’re being asked to login and update your account. But, when you click the link, even though it looks like your bank’s home page, it’s not. It’s a fake site that steals your credentials when you try to login.
Best practice: Navigate to the site manually, with a URL you know is correct, and always look carefully at the address bar in your browser before you enter your credentials.
Clone Phishing — Looks like an email you already received
Similar to an HTTPS attack, this type of email looks like an email you have already received. It looks properly branded, but it has a malicious link or attachment. Sometimes the email will say something like: “resending this email” so you think it’s legitimate. Shipping company notices are often used; Amazon order updates, etc., but the sender’s return email address is slightly different; perhaps off by just a single letter.
Best practice: Be on the watch for duplicated emails; always check the sender’s address, and it’s best to navigate to the site manually, using the URL that you know is correct.
Angler Phishing — Customer service imposters
Did you ever post a comment on social media about a poor customer experience, hoping that the company will respond? An angler phisher is someone who pretends to be a customer service agent. They try to not only steal your personal data (phone, DOB, account number, credentials) but they also might try to infect your device with malware.
Best practice: Confirm the handle of the person replying — make sure it’s from the legitimate account you are trying to reach. Be wary of clicking links or following instructions that don’t seem to match up with your request.
Vishing — Voice call scamming
Scammers use social engineering methods via a telephone call to steal your valuable dat. The bad actor may pretend to be from your credit card company, or bank – some trusted resource. The caller will tell you there is some sort of problem with your account, and will ask you to verify information, such as your social security number, or credit card number.
Best practice: Hang up without giving away any information. You can call the company back using the known telephone number (don’t use your phone’s “Recent” call list); you can also change the settings of your phone so that any calls from numbers not in your contact list are ignored or blocked.
Evil Twin Phishing — fake Wi-Fi networks
Stealing your data using a fake Wi-Fi network is easier than you think. A malicious network allows bad actors to monitor your web traffic and capture any credentials or sensitive information you enter while you are connected. Public Wi-Fi spots, such as airports, coffee shops, libraries, etc., are often impersonated.
Best Practice: Use your phone’s hot spot instead of a public network. Or, wait until you can be 100% confident that you are connecting to a viable network before sending any sensitive data.
Pharming — Malicious code is in charge
When malicious code has been loaded onto your device, the code may re-direct your web traffic to fake/malicious web sites. This is done without your consent or knowledge. It exposes your sensitive data to hackers. If you visit a web site and the URL says “HTTP” instead of “HTTPS” — that is a clue that something may be amiss. You also might see a notice in your browser that says your connection is not private. These are important warning signs.
Best Practice: Use a good anti-virus and malware programs (RPI does) and keep your system software up to date. Be aware of the site URLs that you visit; avoid “HTTP” sites.
Pop-up Phishing — Ads; fake virus alerts
Pop-up phishing tries to trick you into downloading malware onto your device. Sometimes you’ll receive a pop-up window that declares your device is infected by a virus and directs you to click on the pop-up to remove it. These pop-up methods attempt to scare you into clicking quickly.
Best Practice: Enable/use a pop-up blocker I(your browser might have that setting) and do not click on any pop-up windows you see while on the internet.
Search Engine Phishing — Fake product pages
Hackers’ setup fake product pages, hoping that when you are searching online for that “widget” you might select their phony site. These sites often offer incredible, low-priced deals — luring you to believe you are making a steal of a purchase, when the only steal that is happening is the bad actor collecting your credit card and personal information.
Best Practice: Be diligent and confirm that companies are viable — make sure that they are reputable online sellers, before placing an order.
Image Phishing
Image files — photos or illustrations (like memes) — can be carriers of malicious code. The image files may be in the body of an email or attached to the email. These images are especially tempting, luring you to open them. One of the reasons that your Outlook mail account doesn’t automatically download images for every email sender, is to help protect against these types of attacks.
Best Practice: Never download or click on an image within a suspicious email. Use the best practices for other types of phishing methods to validate the authenticity of an email with images, so that you have confidence that the image file is not malicious.
Smishing — Text message lures
Text-only messages (SMS) are becoming more popular. These phishing text messages usually contain malicious links and rely on successful social engineering tactics. The text message will contain a link — perhaps the message looks like it came from a magazine that you subscribe to, telling you that you have won a trip! “Click the link to make your reservation” — but it’s a trap.
Best Practice: Never open a text message link from an unknown phone number. Better yet, call the originator back from the number saved to your Contacts list.