The Frightening Sophistication of the Phishing Scam
We’re long past the days of typo-filled emails from Nigerian princes who promised to share great wealth if the recipient will only pay a nominal fee upfront. Today’s phishing frauds are far more sophisticated and successful. They are harder to spot, and con artists have expanded beyond emails to text messages and phone calls as well.
You have likely heard of phishing, a con that uses fake emails to convince the receiver to share personal information or click a link so the sender can harm the receiver and profit in the process. The con usually includes email spoofing, which uses tricks to make an email look like it comes from a legitimate source.
Different Phishing Scam Types
Phishing cons have gotten more sophisticated and have taken on different forms.
- Spear phishing: Most phishing cons cast a wide net, sending mass emails to many people hoping a few will take the bait. Spear phishing, however, is an attack aimed at specific people or companies and uses personal information about the target to increase the effectiveness of the attacks.
- Whaling: This is like spear phishing but directed at high profile targets among the rich, powerful, or well-placed. Many targets are senior executives in successful companies.
- Smishing: Also called SMS phishing, this attack uses text messages rather than emails. The goal is to make the receiver share personal information by asking them to call a number, click a link, or send an email.
- Vishing: Also called voice phishing, this attack comes as a voice message and often uses a fake caller ID that makes the call seem legitimate.
The Anatomy of a Successful Attack
Each of these attacks is dangerous enough on its own, but paired together, they take on an added level of danger. Consider this scenario: You’re in a store on your lunch hour trying to run some quick errands. You get a text that says your debit card is locked because of suspicious activity. As you stand there, trying to grasp what this means and how you should respond, your cell phone rings. The caller ID says it’s from your bank. You answer and the person on the phone claims to be from your bank. They ask if you received the text about your bank card. They promise to clear it all up. All you need to do is provide your card number to prove they’ve reached the right person.
A text or phone call might raise your suspicions. However, when receiving the two together, these incidents take on an air of believability. That may be just enough to convince someone to fall for the scam. From my experience, this type of con isn’t the most common phishing attack being used, but it is currently the most successful. It’s not common because it takes a sophisticated operation to pull off, but it is successful because it seems legitimate to the victim.
The Stop-Think-Click Moment
The stop-think-click moment is that brief time when the consumer can either heed their inner suspicions and protect themselves or heed fear and fall prey to the con. Hackers and thieves understand FUD—fear, uncertainty, and doubt—very well. They know if they trip these powerful triggers, their attack will be more effective.
Everyone makes mistakes, especially in moments of stress or distraction. In a situation like this, you have only moments to make a good decision to protect yourself. You must ask yourself if your bank has ever cold-called you before. Has anyone from your bank ever texted you about the status of your debit card? It’s helpful to listen to your inner doubts and suspicions. It also helps to learn more about these types of attacks so that you’ll recognize them when they happen. You should also know what a bank will or won’t ask and will or won’t do.
The American Bankers Association helps educate consumers on cybersecurity with a campaign called Banks Never Ask That. No bank will cold call, text, or email you to ask for any of the following:
- Account number
- Username or password
- Social Security number
- PIN
- Birthday
- Address
- Answer to a security question
Don’t provide this information to anyone who randomly contacts you. If you’re suspicious, call your bank directly. It's important to note, however, that should you contact your bank using their known customer service number, you will have to verify who you say you are. This can include providing security information such as your name, account number, or answering a security question. This will under no circumstance include any online information such as a banking password or username.
Protecting Yourself
Beyond listening to your inner cautionary voice and learning about scam types, what else can you do to protect yourself?
- Don’t provide personal information to anyone. Never respond to an unsolicited message, whether email, text, or phone call. Your bank won’t cold call you or email or text you out of the blue.
- Practice good password hygiene. Use different and strong passwords for every site. If you use the same passwords for multiple accounts and a company has a data breach and loses your username and password information, a thief now owns the key to all your accounts. If you can’t track that many passwords, consider using a password manager like LastPass or Keeper.
- Use multi-factor authentication (MFA). MFA requires using two or more means to verify your identity. How this works is, when you log onto a site from your computer, you can’t proceed unless you enter a code that was texted to your cell phone. It takes a sophisticated attack to bypass MFA, and most hackers won’t waste their time.
- Update your systems. Don’t ignore security updates on your phone, PC, laptop, or tablet. These updates and patches fix the security holes and vulnerabilities that attackers take advantage of.
- Pick strong PINs. Don’t use a weak pin or something easily found on social media, like an anniversary or your birthday. If it’s a number combo that an attacker could easily guess simply by knowing a few facts about you, that creates a vulnerability.
- Set up bank alerts. Most banks now let customers set alerts for their accounts. These are texts or emails that you receive if a large purchase is made, if someone tries to change passwords or usernames, or if someone tries to withdraw a large sum from an ATM. With these alerts, you can know within minutes if a scam artist is trying to fleece your funds. With the knowledge, you can call your bank and stop the fraudulent activity in its tracks.
We’re Here to Help
Everyone makes mistakes. If you fall prey to a scam, call your bank immediately. We’re here to help you. If you and your bank act fast enough, it’s possible that you won’t suffer any financial damage from a phishing attack. Contact your bank even if you suspect someone has tried to scam you. Your bank can confirm your suspicions and make suggestions for ways to protect yourself in the future.
What I hope that you’ll take positive actions based on the suggestions found in this article. The best possible outcome is if you are never the victim of a scam because you’ve put these safeguards in place.
For more information check out our fraud and security awareness resources at oldnational.com.