There are numerous ways fraudsters trick users into sharing confidential and sensitive information. Today, it's often done by social engineering, whereby malicious individuals use psychological manipulation tricking users into performing certain actions that reveal the desired information.
While the original phrase was coined years ago to describe this technique to fraudulently obtain confidential information was referred to as "phishing", there are now several additional methods malicious actors use including SMiShing, Vishing, and Pharming.
Regardless of the method used, the end goal for most all these fraudulent activities are to steal or compromise confidential, personal, and sensitive information for malicious, nefarious purposes.
First it's important to examine each type of fraud, how it's implemented, and then discuss methods to protect oneself and others:
Phishing
Phishing is normally an attempt to trick a user into divulging personal and confidential information such as a social security number, credit card information, social media profile, or banking login credentials.
Phishing via email scams has been around for years. However, now that there are millions upon millions of Facebook and other similar social media users; Phishing has become even more prevalent and dangerous.
Phishing scams often look legitimate:
- The email may be masked to appear to come from a legitimate business or source (the From field of the email may look like a real company).
- The link in the phishing email may appear accurate and link to what appears to be a legitimate website.
- The phishing site mimics a real site attempting to trick users into providing personal login credentials.
Once personal information is provided on the fake site, (or the user has downloaded the malware); the malicious users take that information to access the real site and steal personal and confidential information.
SMiShing
Like Phishing, SMiShing is an attempt to trick users into either visiting a fraudulent website, or downloading a virus or other malware, onto the user's device with the intent to defraud and steal sensitive, confidential information for malicious purposes.
Unlike Phishing, (which happens via email), SMiShing happens via text/SMS messaging (SMS phishing) on a users phone or mobile device.
SMiShing messages might look or sound legit:
- SMiShing is an attempt to steal personal or confidential information from consumers.
- SMiShing scams may often include a company name and message (to appear to be an alert from a bank or legit business).
- Like Phishing, SMiShing messages may include a link to what appears to be a legit business website.
- The goal of the SMiShing site will be to steal login information to the mimicked site, or trick the user into downloading malicious software.
Some SMiShing messages are attempts to steal money, others to purchase items on account, while others are attempting to steal personal information for identity theft purposes.
SMiShing via text messaging is popular with hackers due to a lack of consumer skepticism when it comes to clicking links contained within text messages.
Because people are so used to receiving text messages, email notifications of a new friend on Facebook, or receiving notification that they've been tagged in a post, thieves are using fake notification emails to "phish" and fake texts to "SMiSh" and steal millions of unsuspecting users' data.
Vishing
Vishing is a form of Phishing by voice over a phone call. Again, the purpose of Vishing is to get the user to release sensitive data that can be used for nefarious purposes and fraud.
- Vishers call unsuspecting people pretending to be from a bank or real company the person does business with.
- The fraudster will proceed to say something such as "We have reason to believe your card has been compromised and must verify it's in your possession by having you read to use the full card number or we'll have to block the card."
- Vishers are also known to call and pretend the person has won a prize that needs shipping costs paid upfront; thus convincing the user to provide their credit card number and personal information to use for fraudulent charges.
- There are also instances of Vishing attempts where the scammer is pretending to be the IRS collecting taxes that must be paid immediately over the phone with a credit card to avoid legal action.
Pharming
Because many people are becoming aware of Phishing (and variations of such fraud), scammers are changing up the game and using a new type of fraud called Pharming.
Pharming is a method of secretly redirecting the unsuspecting person to a third-party website that mimics the expected site; yet it's a fraudulent site used for stealing sensitive user data.
- Pharming is the unaware redirection of a person's clicks on a legitimate site to a fraudulent site.
- Pharming can be accomplished by a user accidentally downloading a malicious program that causes the redirection on known sites (such as a bank website) to a fraudulent site setup to track user data, logins, passwords and other private credentials.
- Most Pharming attempts are applied on payment pages of e-commerce sites, or online banking portals.
Pharming can also happen through DNS servers of a legitimate website that lacks proper security to avoid being compromised; hence the user has no control (nor is aware) when the redirection happens and sends the user to the Pharm site.
Spotting & Avoiding Fraudulent Attempts
- Pay Attention To The Sender & Subject Of Emails/Messages/Texts
-
If the user is unknown, or something seems suspicious, just delete the email, SMS, or politely hang-up if it's a suspicious call (you can always call the company directly from a known legit number).
Never open unknown file attachments to emails as they can contain malicious software.
Forward suspicious emails to the real company's abuse@ email address so they can investigate, review, and advise accordingly; there might be a full campaign targeting other consumers of that business, and you might just save someone else!
- Always Hand Type The Website Address
-
First and foremost, never click a link in a suspicious email or text. Always hand type the address into your browser. Links in emails or text messages can be "masked" to appear as any address. It might look like the link goes to
http://www.paypal.com
when in-fact it's masked and really leads to another website.By hand typing the website URL address, there is less doubt as to which website will load.
- Check the Address Bar for the Accurate Website Address
-
The address bar (URL) of a website page is normally a quick and easy way to see if the real website has loaded, or if it's a fake website attempting to steal information. For example, if the address bar of the browser reads
https://www.paypal.com
then it's more than likely the correct PayPal site.However, if the address bar reads something like
http://www.paypal.com.somethingelse.com
then it's not the right site. The last .com after "somethingelse" is the real URL address you've ended up.To avoid Pharming, make sure the site has an "s" after the "http", for example PayPal (or most any bank or financially sensitive site) should have https in front of its address similar to
https://www.paypal.com
. - Look for Inconsistencies & Oddities
-
While many scam and phishing sites may look like an exact replica of the real company website or email, there are often little signs that will show it's not a legitimate site.
Some such aspects to review are:
- Awkward word usage - is the grammar that of a professional company?
- Misspellings - would a professional company have misspellings?
- Wrong logo - does this look like the company's logo?
- Vague & innocuous statements - are they using vague statements as a scare tactic.
An example such as "Your account has been limited until you resolve the problem" is a vague statement that doesn't explain what the problem is. Most legitimate companies will be up front and tell you what the problem is, and why you must login or contact them.
What Can Businesses Do To Protect Their Consumers?
Most phishing attempts take advantage of security issues with SMTP (outgoing mail servers) or HTTP security holes. However, there are steps businesses can take to protect their customers from potential security issues:
- SPF - Sender Policy Framework records are setup through the company's domain host records. The SPF record allows a business to specify where legit emails can originate (sent from an authorized legit source), or whether it's potentially been spoofed (fake) and malicious.
- SSL HTTPS - By utilizing SSL Certificates and enforcing a company's website to use HTTPS (securely encrypts data) when a customer visits their site, they're less likely to have any information stolen as it's been encrypted from end-to-end.
What Can Consumers Do To Protect Themselves?
The following are some third-party websites with additional resources to either protect oneself, or take action if already affected by a phishing attempt or malware:
- FTC - Click here for tips & steps to protect one's identity.
- Protect Your Computer - Click here for some tips from Intuit on proper safety measures and good practices to protect privacy and data.
- Virus Scanners - Click here for some free virus checking services.