Common phishing scams and how to prevent them
I think by now we’ve all been contacted by a Nigerian prince looking for someone to help him move his wealth out of the country in return for a share of his fortune. We all know it’s a scam, but did you know a whopping 30% of you still click on phishing scam links?
Phishing scams in particular are getting so sophisticated these days that most of us will need a magnifying glass just to spot the inconsistencies that give away their fraudulent nature.
In today’s post, we will tell you exactly how to recognize a phishing scam and share some classic examples we’ve encountered.
What are phishing scams, then?
The term ‘phishing’ was coined in 1996 by hackers who were stealing ‘America Online’ (better known as AOL) accounts and passwords. Employing the analogy of angling, scammers used email ‘lures,’ laying out ‘hooks’ to ‘fish’ for passwords and financial data. The letter ‘f’ was often interchanged with ‘ph’ as a nod to the original form of hacking known as phone phreaking: the reverse engineering of various tones used to re-route long distance calls.
While these ‘phreakers’ manipulated tone sequences to obtain free calls, the act itself could be argued to be victimless (Well, except for the phone companies…). This is not the case with phishing attacks. Phishers attempt to trick, steal or socially engineer you into divulging your private information. As businesses put complex security mechanisms in place to protect against unauthorized access, criminals target the weakest element in the system: you.
What types of phishing scams are out there?
There are two main types of phishing scams:
An advance-fee scam is a type of fraud that involves promising the victim a significant share of a large sum of money in return for a small up-front payment. If a victim makes the payment, the fraudster will either invent a series of new fees for the victim to keep paying, or will simply disappear.
Traditional phishing scams
Phishing is the attempt to obtain sensitive information such as your username, password and credit card details by pretending to be a trustworthy entity such as Microsoft, Amazon, PayPal or even your bank.
In recent years, many service providers have implemented multi-factor authentication methods that use additional information to verify the user. As a result, phishing kits are steadily getting more advanced as scammers try to find ways to crack the new security measures. For example, in a recent Google report, the search engine giant detailed the results of an investigation into how cybercriminals steal Google accounts. The study found that more than 8 in 10 (82 percent) blackhat phishing tools and almost 3 in 4 (74 percent) keyloggers attempt to collect a user’s IP address and location, while 18 percent of phishing tools gather phone numbers and device information.
While most traditional phishing scams are implemented via email, many phishing attempts happen via social media and even through your work suites such as Dropbox and Google Docs.
Over the years we’ve seen it all, like that time a Skype scambot tried to lure our CEO into plugging in his credit card details.
Or that other time when we teamed up with Bleeping Computer to watch a ‘tech support’ scammer (dubbed Mr Z by the team) attempt to convince us our virtual machine was infected with ‘trozens’ so we’d buy his fake product.
In fact: Tech support scams are so common we’ve covered them in depth here.
While there are countless different ways to phish, these are the most common phishing scam examples:
Regardless of the delivery method, eg; Skype, email or phone call, deceptive phishing is a scammer impersonating a legitimate company in order to receive something from you, whether that be your personal information for identity theft, your credit card details or for you to feel pressured into buying a product that may or may not exist. The methods criminals are using to make you believe the site you are opening is the real deal are getting increasingly clever, as we’ll show you in our examples later on.
Are deceptive phishing attacks but rather than attempting to scam an entire population of people, the attacks are targeted. You may receive an email that includes your name, position, company name and work phone number, or a contact request on Skype where you are directly confronted with personal information.
This is a type of spear phishing where the credentials of a business executive are commandeered via a phishing email, hoax call or Skype scam. These credentials are then used to conduct fraudulent activity. Common examples include Google’s Larry Page himself writing you to notify you about the “official” sweepstakes.
Cloud Storage Phishing
Utilising the suites that many people now rely on for work, these phishing scams are conducted via shared documents. In past phishing scams, Google and Dropbox have even unknowingly hosted these scams in the past with SSL certificates, meaning these scams appeared 100% legitimate.
The most recent example making waves was a phishing email that appeared as Google Docs. It urged users to give permission to the app in order to view the document through a genuine Google Sign-in screen. These permissions allowed a malicious third party web app to access your email and contacts, in turn spreading the phishing email to your contacts.
Redirects traffic from a legitimate site to a malicious one without your knowledge. Any personal information you enter into this page is going directly to the scammers. These pages are usually reached via links shared in deceptive phishing emails, Skype chats and social media ads.
How advanced-fee phishing attacks work: Chatting with a scammer
This email showed up in my inbox from ‘UBS Investment Bank London’ earlier this week. The sender email, [email protected], piqued my interest.
I was amused by the many inconsistencies in the email, such as the fact that it made absolutely no sense. I couldn’t help myself. I had to know. What was the deal? Who was Jerry Joe?
So I called him.
The phone number connects to a man in Basingstoke, England, who didn’t know what to say until I asked him why he emailed me. He continued to ask me my name while I questioned him and assured me repeatedly that if I simply gave him my full name he would be able to give me more information about the business adventure we were about to embark on together.
When I couldn’t get past Jerry Joe’s demands for my personal information on the phone, I responded from a different (pseudonymous) email address to learn more.
Within an hour I had received nothing short of an essay.
A 40% cut of almost £8m? Guaranteed 100% success? Sweet! If I wasn’t already sold on this wonderful opportunity, I had the following attachments to convince me.
Even though I was surprised that the account statement from 2014 looked like it was printed on paper from the 80s, this all seemed incredibly convincing. He went on to say:
Now assured “this was no child’s play,” and that “nothing stupid will happen in this business either now or later” I was to feel safe providing my brother/partner with:
- My full legal name
- My full address
- My age
- Marital status
- A copy of any of my identity documents, either international passport or drivers license.
I can only imagine if I had provided these things, this ‘SIR’ would have had her identity used online to scam other poor souls. And I can’t imagine this is the only aim of the scam. There is often some ‘small fee’ required to facilitate the transfer of my newly acquired fortune. Whereby I offer my credit card details or send money via Western Union or PayPal.
British comedian James Veitch repeatedly converses with scam emailers in a bid to extract some whimsy from the scourge of the internet. In his words, time wasted with him is time that these scammers are not out scamming adults out of their savings. The results are hilarious.
Though it is obvious in the context of this post that the above examples are indeed scams, and while humorous to behold, this is a serious problem. There are still many who are able to be convinced to give up their information through either falling for the initial scam email or being harassed until they are willing to do so. If you receive an email like the one above, simply delete it.
But what about less obvious scam emails?
How to identify a traditional phishing scam
Think about how meticulous you are about your spelling in an email to a customer, your boss or a work colleague. Now imagine the importance a financial organisation, such as your bank, would place on ensuring all brand communication was immaculately presented.
If you receive an email that looks like this, you can be sure it didn’t come from Bank of Scotland:
Though the general layout is quite neat, the incorrect email address, or email spoofing, is your first clue that something isn’t quite right. The random capitalisation in the main header text might not tip you off but the request for you to immediately log on and correct your details should.
There is not a financial organisation on earth that would lead you to a third party site to sign in to your account. If you receive an email like this, go to your online banking directly from your bank’s website in a separate window. Check your secure messages from within internet banking. See any message there about your online account? Didn’t think so.
Scammers take advantage of the fact that we are constantly being bombarded with information at all hours of the day. It is easy to become complacent about what we are clicking on and to whom are we are giving our information.
Keep a clear eye out for the following clues that an email is not what it seems:
- An email is addressed vaguely with salutations such as ‘Dear Valued Customer’ or ‘Dear Customer.’
- The subject uses urgent and/or threatening language such as ‘Account Suspended’ or ‘Unauthorized Login Attempt.’
- You are being offered a lot of money for no reason.
- The email simply makes no sense.
- The message appears to be from a government agency.
- An email, phone call or contact request is completely unsolicited and was not initiated by any action on your part.
- You are being asked to surrender personal information such as your bank account details, credit card information or are being redirected to login with your internet banking credentials.
- Something just doesn’t feel right. If an offer seems too good to be true or you just feel in your gut that something is off, it probably is.
Let’s take a look at a common example close up.
Think you can spot a scam now? Not so fast.
There’s one more type of phishing scam you need to be very aware of.
Now, let’s take a look at the browser bar below. If you were redirected here from an email you wouldn’t see any problem. It looks like Paypal.com. Great! Now, click on the image and look closely.
See the umlaut and tilde above the ‘a’s. This is a scam site that I was redirected to via a link in an email. It’s a common method that our lab team is increasingly seeing to trick users to believe they are accessing a legitimate site. In this case, phishers are exploiting the fact that unicode incorporates many writing systems that each have different codes for the same letter. Using punycode, scammers can register domain names that look identical to a real site.
It is because of legitimate looking login pages like the ones above and altered URL’s like this one that cause people to be so easily caught out.
So how can you protect yourself?
How to prevent phishing scams
Though scams are getting more sophisticated all the time, there are easy steps you can take to prevent phishing attacks.
- DON’T click on any links in emails claiming to be from your bank or any other trusted organisation. Especially if it asks you to verify or update your personal details. Delete these immediately. If you’re in doubt, manually type in the company’s address into the browser and access your account that way.
- DO an internet search of specific names and phrases in an email you are unsure about. Many scams can be identified this way as other victims post their stories on online forums.
- LOOK for https: in any website where you are asked to provide personal details. SSL certificates are used to encrypt the transmitted information to secure identities and financial information over the web. If you don’t see HTTPS in your browser search bar, close it and manually search for the secure address. Always pay very close attention to what is written in the browser search bar. Check for inconsistencies such as symbols that shouldn’t be there and scrambled URLs.
- NEVER provide personal information in an unsolicited phone call. Even if you believe the person calling you is legitimately from your bank, call your bank directly on the number listed on their website to be sure. They will confirm if you were contacted and why. Never return a call on a phone number given to you by the caller directly.
- ALWAYS report a scam to the Anti-Phishing Work Group to ensure that others who are affected by the same scam can find out about it online.
As you can see, some people will try anything to scam you out of your hard-earned money, and the lines are always being blurred between phishing for information and scamming users for financial gain. But never fear. You have all the tools you could possibly need to spot a phishing attack a mile off! All it takes is clear eyes and a few second’s consideration to avoid infection. Now that you know what to look for, you can even help someone else to do the same!
Have a great (scam-free) day!
We’ve shown you ours, now show us yours. What’s the craziest scam you’ve ever encountered? What did you do about it? Tell us in the comments.Mobile malware targets Android users