Phishing: The Scary Clown of Cybersecurity

The terror began, so far as I can tell, with a simple email from a Nigerian Prince. The email was muddled, misspelled and widely imitated as it became the nefarious clown that we know today as phishing. This Halloween, I’d like to share the latest phishing disguises, so that you can distinguish tricks from treats and stay safe.

Much like the It (the clown), phishing goes by many names, has become much more adept at preying on the hopes and fears of individuals, and is growing rapidly as criminals learn which techniques are most effective. Since those early days of Nigerian Princes and AOL accounts, the spelling and grammar have improved, logos and graphics added to imitate real messages, and more realistic scenarios are used. Perhaps the most evil part of phishing’s latest tricks is the creation of targeted messages using information gleaned from social media and other public sources. In recent months, I’ve seen more instances of phishing including two techniques known as angler phishing and smishing (or SMS phishing) have grown dramatically, and pose a significant threat to consumers.

Angler Phishing

Social media is a great way for people to contact companies about product or service issues. Angler phishing is a trick that criminals are using to get your confidential data by mimicking a company’s legitimate customer support account. Using subtly modified domain names, such as “Apple” vs “App1e” (which in some fonts is indistinguishable), “mobile-paypal.com,” or “ask-company.com,” these criminals monitor Facebook, Twitter and other social media sites for people complaining or asking for help. Then they jump in and offer their assistance, asking for identifying information or providing a link to their fake website.

The best way to protect yourself from angler phishing is always to go to the company’s website first, and follow links from there to the appropriate customer support contacts.

Smishing

Smishing, or SMS phishing, brings the familiar fake ads, contests and bonus offers to your smartphone. The smaller screen, context-specific messages and distracted nature of smartphone usage make it more likely that you will click on one of these. Caller ID spoofing can even add the fraudulent message to an existing threat, or make it look like it is from an official number.

The best way to protect yourself from these scams is to vigilantly delete anything that you did not initiate, or that is not from a known contact. Remember, in most cases, you are not today’s lucky visitor, this is not a real refund offer, your bank or credit card account has not been suspended, and your Apple ID is not expiring. No one needs your user ID, password, Social Security number, or other account details via text or Twitter. That offer that expires in 90 seconds is most likely not real, and anything that is too good to be true, usually is.

Unlike Stephen King’s It, our evil clown is not a powerful and hungry alien from another dimension. Defeating it just requires a bit of diligence, a healthy amount of skepticism, and a stronger resistance to click bait!

Gary Davis, Chief Consumer Security Evangelist, McAfee

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.