Table of Contents
Although still the majority, phishing emails—the ones where you’re tempted into clicking on a phishing link that takes you to a phishing page where you willingly divulge the deepest of your username & password secrets—have given way to a host of sub-categories of phishing techniques. Each one targets a different class of victim, each using a particular channel of communications (SMSs, push notifications, social media, messaging apps, etc), and each with its own specific threat.
And, as with any topic that gets subdivided into specializations, the lexicon just keeps getting richer. The first phishing branch-off occurred when someone decided that phishing using SMS messages instead of emails would henceforth be called ‘smishing’ – not particularly inventive. But ‘vishing’, ‘spear phishing’, and ‘whaling’ soon followed. Let’s examine them one by one.
At the end of each heading, we will provide some steps of caution, but—so as not to be repetitive—remind you only once that the best form of protection is safeguarding the bottleneck: install novoShield to prevent the phishing webpage from opening—even if you do inadvertently click a phishing link.
Smishing
SMS phishing messages will usually come from a purportedly trustworthy organization, such as your bank or credit card company, a utility, or a government agency. They will usually contain an element of urgency (‘pay now’) or threat (‘or else’), and may even constitute a thread of messages.
Smishing became particularly popular during the height of the Covid pandemic, during which people received messages warning they had been in contact with an infected acquaintance. Covered in a previous post, the “what to do” button would then lead to a fake health authorities web page requesting personal information. The more virulent versions would result in downloading malware to your device, providing the attacker access to stored data, such as bank passwords and more.
* * * *
In general:
Be suspicious of text messages purportedly from a reputable organization, such as a bank or credit/debit card issuer.
Be wary of ‘urgent’ text messages demanding you call a phone number or visit a website to resolve an issue or verify your details.
Do not call a phone number, or click a link, that is embedded within a text message.
Do not respond to text messages that request personal information, such as your bank account details. Instead, call your bank independently using a number independently obtained.
Never reply to text messages that request your PIN or password.
Vishing
Voice phishing is just another term for telephone scamming. Perhaps one of the oldest phish in the phishbowl, scammers did not wait around for the internet to be invented before it took off. The oldest example is Mr. Edison telling Watson to “come here”… which he thoughtlessly did, only to be informed that his raise had been postponed once again.
With the wealth of information available through social media, however, it’s now much easier for a scammer to convince the victim of his veracity. He knows all about me—he must be legit. He will call by phone or Whatsapp, posing as a bank rep or law enforcement agent and trick the target into revealing sensitive information, either by phone or by directing him to a fake website.
One of the most notorious of these occurrences took place in 2013, when the UK’s Barclays Bank was hit to the cost of £1.3 million (USD $1.8 million). The attackers posed as Barclays employees and called customers, claiming that there was suspicious activity on their accounts. The attackers then convinced the customers to transfer their funds to a “safe” account that was actually controlled by the attackers.
* * * *
Some best practices that could keep you out of trouble:
Be wary of unsolicited phone calls, especially those that request sensitive information or demand immediate action.
Verify the identity of the caller before donating your data. Ask for a name, employee ID, and call back number, and then verify that information independently.
Do not download any software or give remote access to anyone who calls you unsolicited.
Angler phishing
The third most popular channel for phishers is social media. Angler phishing will often target disgruntled users by posing as customer service agents providing assistance—either through the platform or by another channel. They will first create a fake account that spoofs (imitates) the legitimate source of complaint, and use it to kidnap the victim’s account details (at best) or other details (financial, at worst). They may offer a link to a fake agent using a fake website.
Angler phishing is particularly popular for ransomware criminals attempting to hijack the accounts of social media influencers, who have invested time and money in developing huge followings (hundreds of thousands and even millions). The scammer will then lock the account owner out and hold that account for ransom.
* * * *
To avoid this,
Check to see if the account is verified BEFORE responding to a customer service or support rep. Each channel has its own verification test, such as Twitter’s by-now-much-maligned checkmark.
Beware of shortened links (tinyurl, Goo.gl, Ow.ly, Buff.ly, etc.). You can read the original link by hovering over it, or expand it by pasting it into an (hopefully legit) online site, such as CheckShortURL or URL Expander. Finally, if in doubt—don’t click!
The best solution, of course, is to contact customer support directly and await a response. Sadly, most social providers (Facebook, Instagram in particular) have inadequate and contracting human support reps, and rely on their monopoly to afford ignoring customer complaints.
Spear Phishing
Spear phishing is a type of phishing attack that targets specific individuals or groups with personalized messages that appear to be from a trusted source. As in Vishing, spear phishing attackers research victims to craft targeted and convincing messages. Attackers will employ a wide range of techniques, including spoofed email addresses or websites, fake social media profiles, and convincing language to trick the target into clicking on a malicious link or downloading a file.
Some well-known examples have so successful that they have even earned their own Wikipedia page:
The DNC Hack
In 2016, Russian hackers targeted the Democratic National Committee (DNC) with emails to DNC employees that appeared to be from Google. They warned victims that their accounts had been compromised and instructed them to change their passwords. When employees clicked on the link, they were directed to a fake website where they were prompted to enter their login credentials. The hackers then used these credentials to gain access to the DNC’s email system and steal sensitive information.
The Target Data Breach
In 2013, Target was hit with a massive data breach that compromised the credit card information of 40 million customers. The attack targeted a third-party vendor that had access to Target’s systems. The attackers sent emails to the vendor’s employees that appeared to be from Target, requesting login credentials. When the employees provided the credentials, the attackers were able to gain access to Target’s systems and steal customer data.
The Google Docs Phishing Scam
Cloud computing has leveraged many small businesses into competing with major corporations. However, this also exposes them to additional threats. One of the first providers, and one which continues to be hit with attacks, is Google. In 2017, a phishing scam targeting Google Docs users involved emails that appeared to be from a known contact. Victims were invited to view a Google Doc but were instead directed to a fake Google login page, from which the scammers drew the victim’s Google login data, providing access to all his/her stored content and information.
* * * *
Spear phishing is complex and sophisticated. The perpetrators take great care to investigate their victims and imitate legitimate sites. Even professional cybersec personnel are often fooled.
Take the following steps:
- Be wary of emails from unknown sources, especially if they contain suspicious links or attachments.
- Verify the identity of the sender before clicking on any links or downloading any files.
- Use two-factor authentication to add an extra layer of security to your accounts.
- Keep your software and antivirus programs up-to-date, and use a VPN to prevent attackers from intercepting your data (though this may slow your internet down considerably).
Pharming
Some phishing methods are more technically complex than others. Pharming is one. It targets the Domain Name System (DNS), which translates domain names into IP addresses. When a user types a website URL into their browser, the DNS resolves the domain name and redirects the user to the corresponding IP address.
Pharming attacks can occur in several ways. One method is through the manipulation of the user’s computer by installing malware, such as a Trojan, that modifies the DNS settings or host file. Another method involves attacking the DNS server directly, either by exploiting vulnerabilities or by using social engineering tactics to gain access to the server.
Once the DNS has been corrupted, the user is redirected to a malicious website that looks identical to the legitimate website. The user may be prompted to enter sensitive information, such as login credentials or credit card details, which the attacker can then collect for malicious purposes.
Operation Ghost Click
In 2011, a group of hackers carried out a large-scale pharming attack that affected more than four million computers in over 100 countries. The attackers had infected computers with malware that modified the DNS settings and redirected users to fraudulent websites. The attackers made millions of dollars from fraudulent advertising revenue and the theft of personal information.
NetNames
In 2013, domain name registrar NetNames fell victim to a pharming attack that resulted in the theft of customer data. The attacker had gained access to the company’s DNS server and redirected website traffic to a fake website that collected customer information, including credit card details
* * * *
As with Spear Phishing, Pharming can be difficult to detect, but there are steps you can take to protect yourself:
Keep your computer’s software and antivirus programs up-to-date, and use a reputable and trustworthy DNS service.
Type in website addresses manually instead of clicking on links in emails or on social media.
Look for the padlock symbol and “https” in the URL bar, which indicate that the website is secure.
Be wary of unexpected or unusual pop-up windows or requests for sensitive information.
And, above all else, install novoShield—we’re all human, but the price of that can be mitigated.