While you’re reading this blog, hackers are thinking of ways to steal passwords and personal information. Your passwords and personal information. They may use that data for themselves, or sell it on the open market. As we detailed in our recent blog post about Security Awareness Training, phishing—stealing someone’s online identity or information through email, telephone or text message by posing as a legitimate institution—is the number one cyber threat today.
The more you are aware of phishing techniques, the better you can protect yourself. The following schemes are among the most common.
Everyone has seen this one. A hacker sends the same email to millions of users, requesting personal details such as name, birth date, social security number or other information. Most of the messages have an urgent note, often promising money in return for assistance, but requires the user to share account information or verify a bank account. Many of us get these sorts of emails daily.
Email phishing can be quite clever, with emails that look identical to ones sent by real organizations. For example, you could get an email that looks like it has been sent by UPS, with a link to check an upcoming package delivery, but clicking the link infects malware on your system. Another example might be an email from “Netflix” informing you that your account is closed and asking to click a link to “restart membership.” You can see these, and other examples on this post from IT service provider EDTS.
Link manipulation refers to sending a link, usually via a bogus email, that may appear perfectly harmless but instead leads to a malicious website. This is a common component of email phishing. For example, you may get an email offering a free product but actually loads a virus to your computer. Or you get an email that appears to be from your bank, but that “log in here” button takes you to a copycat site eager to steal your information (See “content spoofing” below). Hovering the mouse over the link to view the actual address is the best way to keep from falling for link manipulation.
Often working in conjunction with link manipulation, content spoofing is the creation of a copycat website that only looks legitimate. As IT education site Technopedia writes, “A hacker can design a web page very similar to that of any legitimate website and then use that facade to collect the information that users usually input into that page. This can be relatively harmless data such as an email address or the username and password for that particular site. However, content spoofing can dupe people into revealing more sensitive information like bank account numbers, Social Security numbers, birth dates, credit card numbers, mailing addresses and so on.” Differentiating these pages from a legitimate site can be challenging.
Similar to content spoofing, content injection occurs when a hacker is able to modify the code of a legitimate website, usually adding spam or malicious links. For the user, they may not even realize they are linking to a different site entirely, one that may mimic the site they are currently visiting. Like most phishing schemes, the goal is to gain password or log in information.
While link manipulation is most commonly connected with emails, it’s also a common problem with texts. This scheme is called smishing (SMS + phishing). As texting increasingly replaces emailing, smishing is also on the rise. Just like with an email link, a user should never click on a text link without checking it first.
If smishing is phishing using SMS, you can probably guess that vishing is phishing with voice. This ploy is actually not electronic at all. The hacker calls the user, perhaps posing as a colleague at work, a supervisor, or another authority figure, with the purpose of getting password information, bank information, or other personal data. Phone phishing is mostly done with a fake caller ID.
In our recent post about ethical hacking we mentioned a hacker who was able to get passwords and user names by calling an IT technician of a law firm, posing as a partner. This was a great example of vishing.
Be Smart. Be Safe.
While there is no way to be 100% protected, taking the right steps to patch vulnerabilities can go a long way to providing security against many phishing strategies. At Single Path we are experts in every area of cyber security, from training your employees, to installing the protocols and processes you need. We can work with you as a consultant, as a procurer, installer and more. With Single Path Security offerings you’ll get extensive, collaborative and customized protective services, from risk management to data loss prevention. Let us help you get smarter and safer.
Look for our follow up post, with six more phishing schemes, coming soon.