Phishing Schemes and What to Know About Them
What is the first thing we all learn when accessing the internet? From the earliest days of internet communication, you learn that not everyone tells the truth in cyberspace. You can probably rattle a few of the “playground rules” of the internet off the top of your head. We all can. Things like “Never give your full name and address to online friends” because you never know who’s listening. Or the sometimes controversial “There are no girls on the internet” which actually means that online strangers offering dates are often catfishing.
Speaking of fish, the reason we know all these rules, why even children know the basics of cybersecurity, is because phishing is just a fact of the online environment. When faces are gone and we are all text, some people can’t help but try and trick others. Some try to steal your money. Some are trying to steal your identity. Some are just looking to exploit or bother or embarrass. But the number one rule of the internet is: Don’t get phished.
But how do you do that with hackers getting more sophisticated with each iteration? It’s actually not has hard as you think. If you understand the basic elements of phishing and malware, anyone can protect themselves from phishing attacks.
The Phisher’s Criminal Mentality
The first thing to know is that phishing schemes are “rattling doorknobs” in the internet world. A petty thief might walk down a row of houses checking for an unlocked door. It’s opportunism and hackers almost always take the path of least resistance. The more passive resistance you create in your infrastructure and your routines, the more difficult you will be to hack. Period.
The other kind of phishing is more direct, but less common. Sometimes, a hacker with a specific target will get personally involved. They will send messages that create a sense of urgency and even start texting or talking on the phone to convince their target if the phish. In this case, they are in the mentality of a door-to-door salseperson. They are trying to get you to bite. They tell you that you need flood insurance because there’s a flood coming, then show you pictures of moving water.
What Phishers are After
The next step is to understand what hackers are after. By knowing the kinds of things that hackers and phishers find to be “treasure” you can get in the habit of denying these things to new contacts. Real coworkers, friends, and business partners will understand your caution about sharing, say, your home address or bank account number, while a phisher will pressure for access.
By being careful to deny a hacker’s specific goals, you make yourself far more of a “locked doorknob” for opportunistic hacks.
Your Personal Information
Hackers can use your specific personal information to impersonate you or sell your identity on the dark net. The more they know, the more you can be targeted. This includes both current personal information, like your address and password, and past personal information that might, say, be used in a security question or to access an older account. They can also use this information later to phish you more deeply, by posing as your bank for example.
- Full legal name, nicknames, aliases, and married names
- Current home address and past home addresses
- Your bank institute or bank account number
- Your employer, coworkers names, exact position, or specific work history
- Names of clients or business partners
- Family names, ages, addresses, and family history
- Your school or childrens schools
- This information about anyone else
To Infect with Malware
Malware gives a hacker access to your computer and possibly access to any computer you network with. Malware might spy on you, show you spam, or hack your work databases, so be careful. Malware usually comes from clicking an infected link, opening an infected file, downloading something, or visiting non-secure websites.
Watch out for any phishing scheme that seems to focus on getting you to click a link, download a program, or open a file on your computer.
Some phishing hackers know exactly what they want: money. These phishers usually have a plan, a specific scheme they are running on targeted victims. The victim might be a private consumer whose “account is in danger” or who has an “outstanding debt” or an emergency medical bill or some such nonsense. Or they might target a professional, posing as a client or business partner or boss who requires money to be moved immediately, without checking up the chain first.
Never transfer money without doing a multi-point check. Including calling the supposed contact at the real number. Ex: call your bank from the website number, call your boss on their cell, etc.
Protected Company Information
The casual environment of phishing theft created a place for corporate espionage. Among the phishers who just want your home address and all your money are those looking to steal secured information from competing companies or to expose corporate information for profit. There are hackers who are working for the competition and those who just want to steal databases full of credit card numbers and home addresses.
Any time an unusual request comes through for access or copies of protected company data, your phishing red-flags should go up.
Access for Long-Term Spying/Data-Theft
Finally, phishers may be looking for long-term access, possibly to plant malware that will lurk for months or years gathering data undetected.
Common Phishing Scheme Angles
Now for a quick look at how phishers get your attention and hook people into doing their bidding, even when the story doesn’t stand up:
Casually Give Information
The best situation for a phisher is if your alerts never go up. That’s why they pose as customer service or a friend you commonly text with. They ask for a quick re-up on information, and you give it. Watch out for any new or “new number” contacts asking for personal information.
Respond to an Emergency or Peril
Phishers often create a sense of urgency by pretending there’s some situation. They might pretend to be a family member in trouble, or a coworker in a pinch. They might pretend to be your boss’ boss with a deadline. They might say your dog is at the vet and quick information is needed. Watch out for sudden emergencies that somehow prevent you from verifying with other sources.
You Have Won Something
The classic prize winner tactic: tell someone they’ve won a prize then ask for their address and name to send it. Maybe you don’t rememer entering, or maybe the hacker even skimmed names from a contest you did enter. Either way, never send money ahead of your prize or give any personal information in response. Then contact any legit prize-offering organization to confirm.
Pressure from Above
Finally, hackers may pretend to be authority to make you jump. They might pose as your company’s CEO or an important client or business partner. They might pretend to be your boss receiving pressure from on-high. The goal is to keep you from checking with your supieriors on unusual orders because, supposedly, the orders came from them.
A good boss will appreciate the “Hey, am I being phished?” check when it matters.
Not getting phished is all about understanding how phishing works. Know the mentality, know the tactics, and you can’t get reeled in. For more insights into defense from social hacking, contact us today!