Phishing scams are spreading like wildfire and this time, it’s a little more serious

“Technology is a useful servant but a dangerous master.” This quote by Christian Lous Lange effectively describes an alarming issue that needs our attention at the earliest before we lose both time and money. As the title suggests, phishing scams are on the rise and this time it’s more serious, owing to the methodology used by the fraudsters to carry out the scams. A simple message asking you to clear your credit card or electricity dues to avoid any penalization is a quick bait being employed off lately to trap people into a web of scams.

Before we get into the details of how these scams work, let’s brush up on some basics regarding what are these frauds.

Phishing is an online fraud whereby a bad actor (a fraudster) tricks you into providing some confidential information like credit card details, CVV number, PAN card number etc. disguised as a trustworthy/genuine source. Though there are various ways in which such frauds can be executed, we shall discuss two major forms of phishing attacks prevalent in the digital ecosystem currently.

Spear Phishing

A nightmare for an organization and its employees, spear phishing is a highly personalized and targeted fraud. After researching on platforms like LinkedIn and Facebook as well as using machine using algorithm to scan massive amounts of data, the fraudsters first gather a list of employees working in an organization. Once done, they draft a highly personalized email and send it across along with some malicious links attached.

When such mails reach the employees’ inbox, they are bound to open it given the seemingly personalization factor. They may be asked to click on the links to complete a survey form or open a password-protected document by supplying their user logins and other work-related credentials. Once done, they are redirected to a fake page and a malware is installed on their device that grants access to various confidential documents and other data on the employee’s device.

In case of stolen information like passwords, fraudsters commit credential stuffing attacks i.e. using stolen credentials to attempt logins to unrelated services.

A step ahead, when such emails are sent to top level management in an organization such as the CEO, the attack is known as whaling. Whaling may lead to compromise of sensitive data such as patents and financial information if the bait is hooked.

In 2021, among all the phishing attacks, 65% of them were spear phishing as per a report by CISCO.

 Smishing

You must have come across a message personally or might have heard anyone from your network receiving a message from the Electricity department that he/she must clear his/her electricity dues by midnight, failing which their power supply would be disconnected. This is an example of a smishing attack. Quite like spear phishing, in this case, the message is sent via text message to the targets without any personalization. The message consists of a malicious link to a fake webpage or a malware installation link.

Once the link is clicked, it may ask you to provide confidential details like your credit card number, CVV numbers etc. (in case of payment related messages) or identification details like PAN card number etc. to avail a monetary benefit (in case of incentive related messages)

Smishing has been on the rise as more sophisticated ways of carrying out a fraud by creating a fake webpage is now accessible to fraudsters. In fact, in April 2022, 3.7 billion spam texts and messages were circulated per day.

How to protect yourself against phishing attacks?

While these attacks are carried out daily, we may not realize in the heat of the moment that we are reading a spam message. However, there are certain techniques to avoid falling prey to such attacks.

1. Always ensure that before clicking on any external link, you verify the address/contact from which the message has been sent. Mails from irrelevant departments within the organization, for example, can be a potential red flag for a phishing attack.

2. Scan properties of received messages, including the Attachment Detail property, for malware-related attachment types (such as HTA, EXE and PDF) and automatically send them to be analyzed for additional malware indicators.

3. If a message indicates a sense of urgency, that’s another potential red flag. In such a case, verify the authenticity of the message by cross checking details like grammatical errors in the message, tricky sentences etc.

4. Avoid opening links or documents that ask for sensitive information such as login credentials for your bank account, CVV number etc.

5. Identify and remember the short codes used by your banks to send transaction and non-transaction messages. For example, SBI has revealed that every SBI message starts with its short code ‘SBI’ like SBIBNK, SBIINB, SBIPSG, SBYONO etc.

Apart from the above precautions, the current ecosystem also requires development of a solution to detect such fraudulent activities and alerting the audience at the right time. This is where innovative cybersecurity solutions play a crucial role.

(The author is Mr. Deepankar Biswas, Co-Founder & CEO of ClearTrust and the views expressed in this article are his own)