Phishing scams have one of the most descriptive names in all of computing, mostly because of how similar phishing is with fishing. Just as one does when one goes fishing, bait is dangled in the hopes of getting a bite - but to take the comparison one step further, different types of bait can be used, depending on the catch one is trying to make.
Just as one can fish with live bait, lures, or flies, there are different methods that a hacker can use in their phishing attack. Therefore, in order to truly protect your business against phishing attempts, you need to ensure that you and your employees can identify all of the different phishing methods they may encounter. These practices are good to take home with you too, as personal email accounts are also targets of phishing.
Only too often, an organization will appear to send someone a notice that their account is going to be deactivated, and they have to follow a provided link to log back in - right now - in order to preserve their account. This “helpful” email will also suggest that they update their credit card information, too. You know… just to be safe.
These scams are easy to spot if the service that is being deactivated isn’t one that is actually used. However, some businesses have accounts with a very substantial number of companies, so it can be difficult to keep track without the proper systems in place. These scams are only more convincing if there is actually an account with the service that is apparently reaching out. Even worse, it isn’t uncommon for these scams to come with warnings against scams or claims of security, or one that actually links to the legitimate company website.
To fight against these scams, it never hurts to try the URL test. Hover your mouse over any links without clicking, and check to see if the URL matches what you would type into your browser. An even safer course of action is to reach out to the company directly through another method, like sending a fresh email to their support or giving them a call instead to confirm that the email was sent from them.
These classic scams are the ones that probably first pop into your mind when you hear the phrase “email scam.” You know the ones - out of the blue, someone contacts you with a request that you assist them in moving a large share of money, with a considerable portion of it going to you for your troubles. These scams are known as such because the first wave of them originated in Nigeria, pertaining to a Nigerian prince. However, instead of riches as their reward, victims of these scams have their own finances stolen, and are even sometimes arrested if they are lured to Nigeria itself, as has happened in the past (after all, they are conspiring to remove Nigerian monies from the country).
These scams, like many others, can be foiled by the old adage, “If it’s too good to be true, it probably is.” However, many people from all walks of life and levels of presumed intelligence have been fooled by these scams.
Fortunately, most of Orwell’s 1984 can still be considered fiction, but these scams rely on the opinion that Big Brother is very real, and very much out to get us - especially if one is engaged in behavior that isn’t considered acceptable in public context, or is just plain illegal. These phishing scams are the ones that claim that the FBI is about to kick down a user’s door for illegally downloading content or watching adult materials. The only way the guilty user can (supposedly) save themselves? Pay immediately, using the provided link. Sometimes, that's the only thing the computer can do at this point, because the scam included some ransomware that’s locked the computer up. Of course, that’s something you should never do, because it only encourages the hacker to continue their actions, and there’s no guarantee that the hacker will live up to their end of the deal.
These scams can take a few different shapes. Some scammers like to phish users by creating a fake alert that malware has taken over the computer, so someone needs to remote in and fix it. This way, if a scammer is trying to gain access to your device, they just need to wait for you to give it to them. Don’t.
If your computer has been infected with ransomware as a side effect of this scam, you’re going to have to wipe your computer and start fresh from a comprehensive backup solution (which is something that your organization definitely needs to have). This is annoying, but it is a much better alternative than paying a huge sum to probably not get your access back. Otherwise, all you need to do is ignore the email, after reporting it to IT, of course. The Federal Bureau of Investigation (or whoever is allegedly about to storm your location) has more important things to do than hunt you down, unless there’s a different reason they may want to.
Wire Transfer Scams
Proving that something as simple as phishing can turn even the biggest companies into victims, one only has to look to Google and Facebook for an example. A combined $100 million was taken from the companies when a scammer named Evaldas Rimasauskas posed as hardware supplier Quanta Computer. Basically, by examining the accounting department’s records, Rimasauskas was able to fraudulently submit invoices and collect his bounty from the Internet giants over a period of two years.
Again, the most effective way to stop these kinds of scams is to simply have the controls in place to prevent them from being effective. Make sure that any money transfers are fully vetted, verified, and authenticated before sending them, and ideally, the computers used to send them should be isolated from the Internet and your network unless actively in use.
The Internet has made the job-hunting process a lot easier for quite a few people. Unfortunately, it also makes it a lot easier for scammers to launder the money they have stolen by leveraging these job-seekers as unwitting co-conspirators. By hiring people on these job sites, a scammer will deposit their ill-gotten funds into their accounts, with orders to transfer that money to another account or to convert it into a cryptocurrency. Many will include these tasks as a part of a greater list of responsibilities to make the “job” seem more legitimate. Some will pay a salary, and others will just have the “employee” keep a portion of the deposited money.
While it may sound like a dream job, this kind of work is more of a legal nightmare for those involved, seeing as it is a crime. Anyone who unwittingly participates in these scams needs to cut ties with the scammers and retain some legal counsel, as they could very well face money laundering charges.
Thanks to cellular devices, phishing has been able to go mobile in a few big ways: phishing via SMS, or ‘smishing’, and phishing via spammy social engineering voice calls, or “vishing”. Smishing effectively just takes the typical phishing email and transplants it to a text message. Vishing prompts you to input sensitive information through a recorded message. For instance, a typical vishing attempt might appear to come from your credit card company and ask you to input your card number to confirm whether or not you’ve been breached. If you hand over your number, the answer is automatically “yes”.
Despite these efforts being relatively very basic, they are often a success for the scammer simply because of the delivery method. Surprisingly, people still don’t anticipate that a scam can come in via text. However, if a message is received that seems suspect, your defense against a potential scam of this kind is just as basic as the scam’s efforts: ignore it and delete it.
These phishing scams are hugely dangerous, as the wrong move could ultimately lead to the loss of life with terrifying ease. Imagine, you’re at home, far from your work technology (not counting the smartphone in your pocket), just relaxing at the end of a long day... and a fully-equipped specialized squad of law enforcement officers suddenly bursts through your door, weapons at the ready.
This is the effect of a SWATting attack, in which a cybercriminal spoofs a phone number to call in hugely serious threat, prompting a massive response from law enforcement. Let’s face it, it’s hard to be productive with sirens blasting outside the office and officers shouting commands into bullhorns outside, let alone when the investigation makes its way inside the office. While you’re distracted, the cybercriminal works on whatever goal they have with the confidence that you’ll be looking the other way for quite some time. Some high-profile cybersecurity experts and reporters have been targeted by these attacks so often, their police departments call them back to confirm that yes, there is an actual emergency before deploying the big guns.
With any luck, this attack will only ever be rolled out against you sparingly, if at all. However, it may not hurt to inform your local law enforcement about these threats before one strikes, especially if you have reason to believe that you may be a particularly good target.
This variety of phishing has been around for years. Basically, instead of your phone ringing when a customer tries to call, the call is forwarded to a phone in the possession of a scammer. This is because the scammer has already reached out to the phone company on your behalf and requested that any incoming calls to your number are rerouted to a phone they control. Alternatively, they may have convinced you or one of your employees to dial a sequence of numbers after reaching out to you.
If yours is the type of business to accept credit card payments, the caller may be only too willing to hand over their card details to the scammer. After all, they’re just trying to place an order. As far as they know, they called you, and are talking to you. This scam can also be used to stick you with their telephone charges. Protecting your business can be somewhat simple, as long as you’re being mindful. Don’t press buttons based on the request of an incoming call, and make sure you have a reasonably good working relationship with your telephone provider.
SEO Poisoning and Look-Alike Websites
Finally, there are tons of phishing scams that lurk online, waiting for you to click on the wrong thing. Quite deviously, scammers are embracing the use of Search Engine Optimization, commonly referred to as SEO.
SEO practices are how some websites always seem to rank higher than others when you turn to a search engine for answers. By making certain choices and meeting certain criteria, these websites meet the standards of the search engines well enough that the search engine decides to rank them more highly in the list. For instance, as this was being written, a quick Google search for “seo” returned about 411 million results in less than a second. Based on the factors that Google takes into account, those 411 million results were also sorted by anticipated relevance and the quality of their SEO preparedness.
Unfortunately, this tool can be used to a scammer’s advantage as well. A scammer might send you a simple little virus, just a program that brings up a warning for error code 357. There’s no such thing as error code 357, but you may not know that. So, you turn to Google (or whatever your preferred search engine may be) and look up error code 357. A well-prepared scammer will have created a well-optimized page detailing error code 357 and offering a download to fix it. This download, unfortunately, contains a nasty payload that you just welcomed into your system.
Alternatively, many scammers will just replicate websites in great detail, and using SEO tactics, make it easy for someone doing a quick Google search to click on the wrong one. From there, anywhere the victim can “log in” is an opportunity for their credentials to be stolen.
Fighting Back Against Phishing
Clearly, phishing is a little more complicated than many people realize. Fortunately, the pros that work at MERIT Solutions aren’t those people. If you want our assistance and expertise in setting up solutions that can help keep phishing scams and other threats out, give us a call at (757) 420-5150.