What is phishing and why should I care/worry about it? Phishing is when someone uses misrepresentation to make you believe something that isn't true. For example: Not really your bank's website, you're not emailing who you think you are, you're not talking to who you think you're talking to on the phone. Let’s have a conversation about the basics.
There are a few basic categories of phishing:
- Generic Phishing – Emails that appear to come from a bank or other company you might have an account with. They claim to have a problem or there is a ‘free’ something if you just click on the link. You get directed to a site that may look like the one you’re trying to go to but is actually somewhere entirely different. If you look in the address bar above in your browser you will the the URL doesn’t look right.
- Vishing – You get a call from a number that ‘appears’ to be the actual people calling but it is in fact someone spoofing the number and trying to get information or steal your identity. For example your phone rings and the caller id shows your bank name but they call and offer some kind of deal that’s almost impossible to resist or they claim a non-existent problem to gather information from you.
- Smishing – you get an sms message on your phone with a link to click on or a number to call. Total misrepresentation and usually trying to install malware on your phone or find a way to steal your identity.
- Search engine phishing – Usually a fake webpage that takes advantage of a ‘typo’ and grabs your browser to install malware or exploits. For example: you type regoinsbank.com instead of regionsbank.com and that misspelled domain name is actually linked to a site that is designed to infect your computer or trick you into entering your credentials.
- Spear-Phishing - This popular attack involves gaining access to an email account or spoofing an address to trick the user into revealing information or doing something the attacker wants (for example: an email looks like it comes from your boss and it directs you to buy some gift cards for an upcoming contest and send them to an address that supposedly belongs to the ‘event’ coordinator). This is rising in popularity and sometimes they have managed to get access to either your email or the sender’s and studied the existing emails on the server enough to craft a message that seems believable. Hard to defend against, however having a second layer of permission when money is to be used/transferred will usually protect you against this. For example. If you regularly transfer money have the other person call you by voice and ok the transaction. Or send you a text also stating the email is correct.
- Whaling – this is when someone is going after the CFO,CEO,CIO, etc… They’ve got access to one of the senior staff in the company and they’re either using that email to order transfers that don’t exist or they’re trying to gain information that is worth money to someone. These are very targeted and usually only carried out by people that really have some experience with what they’re doing and possibly some knowledge of the industry they’re trying to fake out.
- Social media phishing – This is relatively new and appears to be primarily focused on females that are on Instagram, facebook, or games that support a ‘chat’ feature and other social media venues. It starts off with an innocuous ‘hello’ message to establish rapport. Once they manage to establish some kind of rapport they continue to build on the relationship providing the ‘attention’ their target desires. This relationship blossoms and they have conversations with their victims. Sometimes they just ask questions that appear innocuous and involve little things like family, pets, daily life, birthdays, favorite items. These are used to steal your identity and possibly provide answers to security questions and make it easier to steal access to a bank or email account and totally steal your identity. Sometimes sex is mentioned. If possible they ease their quarry into talking about their sex life or things they would like to do that they aren’t doing. Eventually there is a ‘picture’ exchange. The quarry gets picture of the guy their talking to (in most cases they claim to be in the military) and the pictures are totally fake or stolen. This is why these accounts are usually private or it is very hard to verify their identity. The victim sends some pictures and then these pictures are used to extort either cash, more pictures or information from the victim. There are cases where victims after sending compromising pictures were forced to send even more money to their ‘boyfriend’ to keep him from sending them to her family he had located on facebook. In one instance a victim had sent a scammer tens of thousands of dollars because he told her he was a soldier and trying to get a box of ‘gold’ he discovered in the middle east into the US. She was an educated professional that definitely knew better but she got emotionally involved and it clouded her thinking. It’s easy to claim that it won’t happen to you but they probe and use their conversations and every question answered by the victim to build profiles and figure out their victims weaknesses. Avoid this by not accepting friend requests from people you don’t know and don’t chat with people you don’t know in real life. You never know who is on the other screen.
In short, Phishing is basically fraud on a wide scale and they count on a small percentage of people to fall for their scam or to provide enough of an opening for them to compromise the victims computers or identities. You have to remember the end goal is money. There are multiple sites on the darkweb that will sell you an American bank account with $10,000 or more dollars in it for $800… They provide the passwords you get the access to take the money.