Phishing: The Scary Clown of Cybersecurity

October 31, 2017

The terror began, so far as I can tell, with a simple email from a Nigerian Prince. The email was muddled, misspelled and widely imitated as it became the nefarious clown that we know today as phishing. This Halloween, I’d like to share the latest phishing disguises, so that you can distinguish tricks from treats and stay safe.

Much like the It (the clown), phishing goes by many names, has become much more adept at preying on the hopes and fears of individuals, and is growing rapidly as criminals learn which techniques are most effective. Since those early days of Nigerian Princes and AOL accounts, the spelling and grammar have improved, logos and graphics added to imitate real messages, and more realistic scenarios are used. Perhaps the most evil part of phishing’s latest tricks is the creation of targeted messages using information gleaned from social media and other public sources. In recent months, I’ve seen more instances of phishing including two techniques known as angler phishing and smishing (or SMS phishing) have grown dramatically, and pose a significant threat to consumers.

Angler Phishing

Social media is a great way for people to contact companies about product or service issues. Angler phishing is a trick that criminals are using to get your confidential data by mimicking a company’s legitimate customer support account. Using subtly modified domain names, such as “Apple” vs “App1e” (which in some fonts is indistinguishable), “mobile-paypal.com,” or “ask-company.com,” these criminals monitor Facebook, Twitter and other social media sites for people complaining or asking for help. Then they jump in and offer their assistance, asking for identifying information or providing a link to their fake website.

The best way to protect yourself from angler phishing is always to go to the company’s website first, and follow links from there to the appropriate customer support contacts.

Smishing

Smishing, or SMS phishing, brings the familiar fake ads, contests and bonus offers to your smartphone. The smaller screen, context-specific messages and distracted nature of smartphone usage make it more likely that you will click on one of these. Caller ID spoofing can even add the fraudulent message to an existing threat, or make it look like it is from an official number.

The best way to protect yourself from these scams is to vigilantly delete anything that you did not initiate, or that is not from a known contact. Remember, in most cases, you are not today’s lucky visitor, this is not a real refund offer, your bank or credit card account has not been suspended, and your Apple ID is not expiring. No one needs your user ID, password, Social Security number, or other account details via text or Twitter. That offer that expires in 90 seconds is most likely not real, and anything that is too good to be true, usually is.

Unlike Stephen King’s It, our evil clown is not a powerful and hungry alien from another dimension. Defeating it just requires a bit of diligence, a healthy amount of skepticism, and a stronger resistance to click bait!

Gary Davis, Chief Consumer Security Evangelist, McAfee

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Security Operations Centers (SOCs) are a crucial component of safety and security culture. They support many strategic business objectives, from lowering costs and minimizing risk to improving employee trust and morale.

Phishing: The Scary Clown of Cybersecurity

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Phishing: The Scary Clown of Cybersecurity

Related Articles

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.