Spot That Phish! Part 2
A few months ago, we covered the basics of Phishing, which is spam that's used as bait to get you to click a link, respond with information, or something else nefarious.
Today, I want to talk more about Phishing by covering some additional forms that you might not think about when you hear the term.
Spear phishing is also typically done through e-mails, but they are a bit more targeted. Let's say you have a retirement account with a bank we'll call "Bank #1". And let's say Bank #1 has a clean history, but maybe one of their marketing partners had a breach that you're entirely unaware of.
This breach now lets the bad guys know basic details about where your retirement account is, so they'll create a phish specifically showing Bank #1's name with their logos, graphics, look and feel. We are more susceptible to trust a message if it comes from a company or someone we're familiar with or have done business with, especially if a decent sum of our hard-earned money is involved. This may be just enough to get you to do what they want you to do and ultimately gain access to your retirement account.
The more data they can gather about you, the more realistic they can make the phish. Ask yourself how much information is available about you on social media. Is your birthday up there in the cloud? What about your hometown or maiden name? Would any of that data help convince you that the e-mail source was trustworthy?
We call this Spear Phishing because it's targeted, and the more breaches we see, the more Spear Phishing we see.
Vishing, or Voice Phishing, is more about Social Engineering. These can be recordings, which are easy to spot because we have laws protecting us from robocalls. There are exceptions like political campaigns and businesses you have given your consent to call. If neither of those rings true, the call is almost always illegal.
Sometimes, however, these are live humans calling who can be very convincing. If your car's warranty hasn't expired, you may not fall for this incredibly common one, but given it's tax season, you may feel compelled to talk to the IRS if you believe it was really them. We've also seen scams that threaten legal action for 'outstanding felonies' on your record—scams that offer a free gift and then bill for it later. And my personal favorite is a claim that the caller will cancel your Social Security Number if you don't comply.
The warning signs are the same, but you may not realize it when you're on the phone vs. taking a second look at an e-mail. My rule of thumb with any call I suspect may be vishing is to call the company back. If a caller is claiming to be your bank, don't give up any information. Simply hang up and call your bank at a known contact number like the one on the back of your card. The same goes for any other company you do business with. When in doubt, don't give it out.
Some get these more than others, but unsolicited SMS (text) messages are also an avenue that scammers have been using for some time. Texts stating you've won a new iPad, that you've paid a bill, and there's a thank you present waiting, and anyone offering to purchase your home is typically scams.
Now, there is some question on whether texts asking to buy your house are legitimate. It may be a corporate home buyer reaching out with good intentions, but the text is still more than likely illegal if you have not given them permission to text you, so I'd steer clear.
So, what does it all mean?
These specialized types of Phishing attacks are simply more of the same thing, just with a slightly different delivery angle or mechanism. Limit what personal information you share online, watch out for a sense of urgency, robocalls, requests for any personal information, and always trust your instincts. If you have any doubt, delete the e-mail, text, voicemail, or hang up if you're uncomfortable or flustered.
And, if you are not using dual-factor or multi-factor authentication (2FA or MFA), start enabling it on your accounts today, beginning with your primary e-mail account.
We tend to look at bank accounts first, but if I can access your e-mail, I can perform password resets on just about every other account. MFA is key to preventing account compromises…period.
Who is Greg Gammino? Our resident security expert, Greg Gammino, is ELM's Director of Information Security & Data Protection Officer. Greg has more than 20 years of IT Engineering and Information Security experience. Prior to joining ELM, Greg led security operations across several industries including Healthcare, Fulfillment, and Logistics, IT Consulting, and Higher Education.