There are numerous ways for fraudsters to trick users into providing confidential information. Today, that's often done by social engineering whereby malicious individuals use psychological manipulation to trick users into performing certain actions and reveal confidential information.
While the original phrase coined years ago to describe this technique of fraudulently obtaining confidential information was referred to as "phishing", there are now several new methods malicious actors use including SMiShing, Vishing, and Pharming.
Regardless of the method used, the end goal for most all these fraudulent methods are an attempt to steal or compromise confidential information for malicious, nefarious purposes.
First it's important to examine each type of fraud, how it's implemented, and then discuss methods of protecting oneself and others:
Phishing is normally an attempt to trick a user into divulging personal and confidential information such as a social security number, credit card information, social media profile, or banking login credentials.
Phishing via emails scams have been around for years. However, now that there are millions and millions of Facebook and other similar social media users, Phishing is becoming even more prevalent and dangerous.
Phishing scams will often look legit:
- The email may be masked to appear to come from a legitimate business or source (the From field of the email may look like a real company).
- The link in the phishing email may appear accurate and link to what appears to be a legitimate website.
- The phishing site mimics a legit site in an attempt to trick user into providing personal login details to the fake site.
Once personal information is provided to the fake site, or the user has downloaded the malware; the scammers can then use that information to go to the real site to login and access private information.
Like Phishing, SMiShing is an attempt to trick users into either visiting a fraudulent website, or downloading a virus or other malware, onto a device with the intent to defraud and steal sensitive and confidential user information for malicious purposes.
Unlike Phishing, which happens via email, SMiShing happens via text/SMS messaging (SMS phishing) on a users phone.
SMiShing messages might look or sound legit:
- SMiShing is an attempt to steal personal or confidential information from consumers.
- SMiShing scams may often include a company name and message (to appear to be an alert from a bank or legit business).
- Like Phishing, SMiShing messages may include a link to what appears to be a legit business website.
- The goal of the SMiShing site will be to steal login information to the site being mimicked, or make the user download malicious software.
Some SMiShing messages are attempts to steal money, others to purchase items on account, while others are attempting to steal personal information for identity theft, etc.
SMiShing via text messaging has recently become popular with hackers due to a lack of skepticism when it comes to clicking links contained within a text message.
Because people are so used to receiving text messages, email notifications of a new friend on Facebook, or receiving notification that they've been tagged in a post, thieves are using fake notification emails to "phish" and fake texts to "SMiSh" and steal millions of unsuspecting users' data.
Vishing is a form of Phishing by voice over a phone call. Again, the purpose of Vishing is to get the user to release sensitive data that can be used for nefarious purposes and fraud.
- Vishers call unsuspecting people pretending to be from a bank or legit company the person does business with.
- The fraudster will proceed to say something such as "We have reason to believe your card has been compromised and must verify it's in your possession by having you read to use the full card number or we'll have to block the card."
- Vishers are also known to call and pretend the person has won a prize that needs shipping costs paid upfront; thus convincing the user to provide their credit card number and personal information to use for fraudulent charges.
- There are also instances of Vishing attempts where the scammer is pretending to be the IRS collecting taxes that must be paid immediately over the phone with a credit card to avoid legal action.
Because some many people today are becoming aware of Phishing (and variations of such fraud attempts), scammers are changing up the game and using a new type of fraud called Pharming.
Pharming is a method of secretly redirecting the unsuspecting person to a third-party website that mimics the expected site; yet it's a fraudulent site used for stealing sensitive user data.
- Pharming is the unaware redirection of a person's clicks on a legitimate site to a fraudulent site.
- Pharming can be accomplished by a user accidentally downloading a malicious program that causes the redirection on known sites (such as a bank website) to a fraudulent site setup to track user data, logins, passwords and other private credentials.
- Most Pharming attempts are applied on payment pages of e-commerce sites, or online banking portals.
Pharming can also happen through DNS servers for a legitimate website that lacked proper security and was compromised; hence the user has no control (nor is aware) when the redirection happens sending the user to the fraudulent site.
Spotting & Avoiding Fraudulent Attempts
- Pay Attention To The Sender & Subject Of Emails/Messages
If the user is unknown, or something seems suspicious just delete the email, SMS, or politely hang-up if it's a suspicious call (you can always call the company directly from a known legit number).
Never open unknown file attachments to emails as they can contain malicious software.
Forward suspicious emails to the legit company's abuse@ email address so they can review and advise accordingly; there might be a full campaign targeting other consumers of that business, and you might just save someone else!
- Always Hand Type The Website Address
First and foremost, never click a link in a suspicious email or text. Always hand type the address into your browser. Links in emails or text messages can be "masked" to appear as any address. It might look like the link goes to
http://www.paypal.comwhen in-fact it's just masked and really going to another website.
By hand typing the address, there is no doubt as to which website will load.
- Check the Address Bar for the Accurate Website Address
The address bar (URL) of a website page is normally a quick and easy way to see if the real website has loaded, or if it's a fake website attempting to steal information. For example, if the address bar of the browser reads
https://www.paypal.comthen it's more than likely the correct PayPal site.
However, if the address bar reads something like
http://www.paypal.com.somethingelse.comthen it's not the right site. The last .com after "somethingelse" is the real URL address you've ended up.
To avoid Pharming, make sure the site has an "s" after the "http", for example PayPal (or most any bank or financially sensitive site) should have https in front of its address similar to
- Look for Inconsistencies & Oddities
While many scam and phishing sites may look like an exact replica of the legitimate company website or email, there are often little things that will show it's not a legitimate site.
Some such aspects to review are:
- Awkward word usage - is the grammar that of a professional company?
- Misspellings - would a professional company have misspellings?
- Wrong logo - does this look like the company's logo?
- Vague & innocuous statements - are they using vague statements as a scare tactic.
An example such as "Your account has been limited until you resolve the problem" is a vague statement that doesn't explain what the problem is. Most legitimate companies will be up front and tell you what the problem is and why you must login.
What Can Businesses Do To Protect Their Consumers?
Most phishing attempts take advantage of security issues with SMTP (outgoing mail servers) or HTTP security holes. However, there are steps businesses can take to protect their customers from potential security issues:
- SPF - Sender Policy Framework records are setup through the company's domain host records. The SPF record allows a business to specify where legit emails can originate (sent from an authorized legit source), or whether it's potentially been spoofed (fake) and malicious.
- SSL HTTPS - By utilizing SSL Certificates and enforcing a company's website to use HTTPS (securely encrypts data) when a customer visits their site, they're less likely to have any information stolen as it's been encrypted.
What Can Consumers Do To Protect Themselves?
The following are some third-party websites with additional resources to either protect oneself, or take action if already affected by a phishing attempt or malware: