Phishing, Smishing & Vishing

Learn some common ways that cyber crooks try to gain access to your personal information and accounts.

The below post provides information about phishing, smishing, vishing, and more, and was provided from SoS Daily News and just too good not to share!

Top Phishing Scams Continue To Improve And Grow

 

April 19, 2022

Much to our dismay, cybercrooks keep finding ways to better the phishing tools they have and find other ways to include new and sneakier methods of thievery. Organizations and individuals are targets, and thieves steal money, identities, credentials, and more from both every day. Even cyber-savvy users can get caught in phishing scams if they don’t pay close attention to the signs and signals that something isn’t quite right. Reviewing the most pervasive phishing scams is always recommended because an educated user can be the best tool against the many forms that phishing takes.

Email Phishing

This is currently the most popular type of phishing lure and it lurks in almost every inbox. Fake domain names and redirected URLs are just a few ways phishing emails get opened and acted on. The subject line and content are designed to get a response and gain the trust of recipients by appearing legitimate. Sneaky crooks use every trick in the book to scam their way into your trust, hoping you’re not paying close attention to detail.

An example of a suspect email address involved in a scam

  • Closely examine URLs, including spelling. Fraudsters transpose, add, and delete letters to sneakily misspell a web address. This brings you to a bogus, exact duplicate website solely created to dupe users into believing it’s what they’re expecting to see. Subtle details like leaving the “s” off of “https” in the URL are also red flags.
  • Avoid following links or opening attachments in emails. Instead, type the true URL for the website yourself because links can easily and quickly redirect you to bogus websites and attachments can be loaded with malware. Be sure to not misspell the domain to avoid Typosquatting attacks detailed below.
  • Don’t trust, but verify email senders, especially before providing any sensitive information at work and at home.

Spear Phishing

 

It’s a twist on email phishing that directly targets the recipient by name, known interests, work relationships, friendships, and other specific details about you. Scammers scour social media to learn about ways to target recipients and gain their trust. The public information is combined with data available from the many breaches. Then it is weaponized against you to develop specific and targeted email attacks.

  • Limit the information you post on social media, such as Facebook and Instagram, as well as on LinkedIn, and other websites that spear phishers look to exploit.
  • Use two-factor authentication (2FA) or multi-factor authentication (MFA) whenever possible. Each layer of verification ensures the right person is accessing accounts and not someone claiming to be you.
  • Using artificial intelligence (AI) tools help alert when an account has been compromised.

Whaling

 

A type of spear phishing that targets those on upper levels of management and in control of funds. CEOs are not spoof-proof and are vulnerable to the same phishing tricks that target regular staff.

Aside from phishing scams, BEC scams tend to use look-alike domains.

  • Verify Client Certificates are legitimate.
  • Set email filters to a level that flags suspicious senders, even before they make it to an inbox.
  • Financial transactions should have the highest levels of verification, including face-to-face verification tools.

Smishing and Vishing

 

Smishing uses text messages rather than emails, often with a legitimate-looking link

Smishing uses SMS and text messages as the lure. The message usually comes with a legit-looking link, even including the first or last few numbers of an account you have in the text message. Getting you to believe it is legitimate is the first step to compromising your account numbers and other confidential information.

Vishing attacks are voice calls, many robocalls, that often seek to concern and scare recipients into responding with the desired confidential information.

  • Never answer a text or phone call from a sender you can’t verify before supplying any information.
  • Hang up and redial the phone number directly. Chances are you’re a vishing target.
  • Never respond directly to a text message that’s looking for information or follow links in the text.
  • Go directly to the true source yourself to verify the sender. Look up the real phone number or website URL and input it yourself. That way you can tell if your personal information is truly needed and a legitimate request.

Typosquatting

 

Also called URL or domain hijacking (do-jacking), typosquatting takes advantage of incorrect spellings for URLs, or typos a user makes without realizing it. Rather than use a browser to connect to websites, hackers are sitting on misspelled websites just waiting for a bite. The most minor deviations in spelling can bring you to a look-alike, spoof website. Many then disappear immediately after stealing your payment card and other information.

Typosquatting involves buying the domains of popular websites except with common typos in them, like amozon instead of amazon.

  • Check and double-check URL spellings before connecting. Making sure every character, hyphen, and apostrophe is in place can save a lot of headaches.
  • Use previously bookmarked sites when possible.

Angler Phishing

 

The latest and fastest-growing phishing threat that uses social media spoof sites to draw users into a providing information that’s easily stolen. They often masquerade as social media customer service account sites that ask for sensitive information. They then threaten to close the account or take other action if the data isn’t provided.

Example of how Angler Phishing is used on Social Media

  • Address account issues only on the official social media website.
  • Look for an official blue checkmark verification symbol, like those found on Twitter and Instagram messaging, when it makes sense the account should have one.

If you have any questions or concerns about any of the scam related topics above, contact a member of the Metrum Credit Union team!