Coined in 1996, the term phishing is analogous to the sport of angling — internet scammers “fished” technology users, luring them into sharing passwords or other valuable information.
According to the FBI, phishing was the most prevalent form of cybercrime for 2020 — up 100 per cent from 2019. Nearly 75 per cent of organizations globally were targeted by phishing attacks in 2020 and 74 per cent of U.S. organizations were compromised by a successful phishing attack.
More than 95 per cent of all phishing attacks are designed to collect information such as personal and corporate data that can be used for illicit purposes and resold on the Dark Web.
Locally, a phishing scam drew the attention of police when a senior citizen in Kingsville received a call this month that their credit card had been compromised. In order to confirm the card was still valid, they were instructed to purchase some Google Play cards and forward them to the caller.
When the senior tried to purchase the cards, the retailer sensed something was wrong. Police were called and the scam was foiled.
Conventional phishing attacks often contain some form of malicious software (malware) launched by prompting the target to click where directed. The malware can be concealed within an attachment (Word documents, Excel files, PDFs), or website links contained in the body of an email. Once clicked on, malware is executed allowing others to access the targeted system remotely. Some malware is designed to gather and forward sought-after information without requiring assistance from the perpetrator.
Cybercriminals use emotion-driven words in their messaging such as urgent, request, important, payment, attention, immediate and action to increase the success of a phishing attack. Those cyber “power words” appeal to five common feelings or emotions — fear, guilt, helpfulness, obedience and urgency.
My theory, RESCAT (Required Elements for a Social Engineered Cyber Attack Theory), delves into how cybercriminals use social engineering to prey upon human nature and curiosity and incorporate emotions that influence decisions we make when faced with crafty phishing attacks.
How can you protect yourself from being phished? General phishing attacks are forwarded to multiple targets — a numbers game of sorts that relies on recipients coerced into being victimized.
Other types of phishing are tailored to the victim. Spear phishing, for instance, is particularly effective because messages contain information unique to the recipient, thereby appearing more legitimate. Whaling, like spear phishing, is target-specific, aimed at senior executives, those in positions of power or significant wealth, in anticipation of obtaining greater returns for bad actors.
BEC (Business Email Compromise or CEO Scam) includes directives to forward payments to alternative bank accounts. One U.S. company narrowly avoided a loss of US$20 million when an employee, reacting to an email appearing to originate from their CEO requesting immediate payment to a known local supplier, attempted to transfer the funds.The email included new banking information for an out-of-state bank.
Cat phishing preys on people’s goodwill, conscience or sympathy to forward funds to assist others in need. Romance scams or false claims of illness or lawsuits, or the need for money to recover from a disaster, are examples.
Inquiries as to the legitimacy of the request, by replying to the original email, would have gone directly to the hacker who sent the message via a fake email account appearing to belong to the CEO. While a phone call to the CEO would have revealed the scam, fear of not obeying a directive from an executive, and wishing to be obedient and helpful to the urgent request, may explain why no call occurred. Incredibly, while processing the request, one digit of the supplied bank account number was entered incorrectly, resulting in the funds not being transferred.
SMiShing (Short Message Services) is phishing via texts to smartphones and has grown dramatically as messaging and app usage on smartphones increases. Attempts to verify who sent a text are difficult given limited visible information. Simply touching a message may cause the launch of malware.
Vishing (voice phishing), such as the recent attempt to scam a Kingsville resident, is conducted by phone. The caller asks for personal or financial information, requests donations or uses threats, pretending to be from the tax, police, or immigration agency in order to cause fear, obedience and urgency. Common sense can help prevent being vished.
Angler phishing uses personal data freely divulged on social media sites, or by persuading someone to provide the information through social engineering.
Cat phishing preys on people’s goodwill, conscience or sympathy to forward funds to assist others in need. Romance scams or false claims of illness or lawsuits, or the need for money to recover from a disaster, are examples.
Watering hole attacks are directed at specific industries or large groups by infecting frequently accessed websites with malware that will execute on future visits.
Regardless of the type of phishing scam, never be coerced into responding quickly to urgent requests or threats. This applies to correspondence from both familiar and unfamiliar sources.
Cybercriminals can increase the percentage of recipients willing to provide or confirm personal information (obedience), or who will respond to time-limited offers (urgency, greed, or fear of missing out) by including logos of legitimate organizations. All emails should be examined to verify the legitimacy of the sender. Hovering your mouse pointer over the sender’s name will reveal the sender. However, the sender’s name can be spoofed as well by altering a single character. If in doubt, contact the organization or individual to inquire if they sent the communication.
Taking time to consider the legitimacy of all emails, texts, or phone calls will reduce the risks of being successfully phished. Remember — Don’t be Quick to Click!
Chris Kayser is cybercriminologist and founder, president and CEO of Cybercrime Analytics Inc. He is the author of two books, Cybercrime through Social Engineering — The New Global Crisis and How to Master an Online Degree — A Guide to Success. He can be reached at ckayser@cybercrimeanalytics.com or at www.cybercrimeanalytics.com.
