We’re all familiar with the 419 email scam, where a “wealthy” Nigerian “prince” asks for help accessing an unexpected financial windfall. This clichéd scam is perhaps the best-known example of a phenomenon known as phishing, where emails are sent by fraudsters in an attempt to make financial capital out of gullible recipients.
The first recorded instance of phishing involved the AOL dial-up internet service. Unsolicited emails requested personally identifiable information (PII) from account holders, including passwords and credit card numbers. When AOL cracked down on this in the mid-1990s, the spammers set up generic email accounts via other providers. These emails looked like they’d been sent via popular organizations, including UPS, PayPal, and Amazon. The goal was to acquire bank account information, social security numbers or login credentials, before committing financial fraud in the victim’s name.
Plenty more phish in the sea
With the majority of global email still being spam of one form or another, phishing has evolved into a multi-billion dollar industry. By the early 2000s, scammers were registering domains like yahoo-billing.com to give the From fields in their messages greater apparent authenticity. In 2014, 110 million credit cards were compromised when an employee of a sub-contractor working for Target mistakenly clicked a malicious link. Phishing attempts are soaring year on year, and 56%of global phishing sites are based right here in America.
Given the huge profits to be made out of fraudulently acquired PII, sub-genres have evolved. Spear phishing ramps up the authenticity by mentioning genuine information (often harvested from social media) in messages to specific individuals, while whaling is aimed at C-suite executives. It’s possible to buy ready-made ‘phishing kits’ on the Dark Web, or to outsource the whole business to third-party specialists who own dedicated web servers and huge email databases for mass spamming purposes.
A vish-ous cycle
While phishing is email-based, vishing and smishing respectively relate to telephone calls and SMS text messages. The former usually involves unsolicited calls from an anonymous or spoofed numbers, claiming a security breach requires urgent resolution. In reality, a security breach will only occur by handing over the PII requested in this call. In extreme situations, the phone line might even be hijacked, so attempting to ring a legitimate agency redirects the victim back to the scammers’ call center.
Smishing is conducted via texts containing a web page hyperlink or a phone number (usually a recorded message service) where victims are encouraged to divulge PII. Smishing maximizes anonymity and affordability for criminals, though entrapment rates are lower in short text messages where verbal persuasion isn’t possible. As in phishing attacks, SMS hyperlinks direct people onto webpages laden with malware or spyware.
To server and protect
Despite its ubiquity, phishing is easy to avoid. These are Westhost’s tips for staying safe:
- Run antivirus software at all times and scan incoming messages on both desktop and laptop computers.
- Question every email. If an eBay message claims there is a problem with your order, consider if you’ve actually bought or sold anything lately.
- View the sender address. Hovering your mouse over the From field in an email often reveals the genuine email account it was sent by, rather than the display name.
- Don’t click links. If a message claims you need to access your account, log in using a separate web page rather than following the link. Alternatively, ring the organization up instead.
- Avoid opening unsolicited attachments. It’s easy to bury malware inside Office documents or media files – don’t open attachments unless they’re definitely genuine.
- Google the message’s subject line and add the word “scam” to see if other people have received similar emails and reported them as bogus.