We’ve all seen and heard the word phishing, a cybercrime by means of which attackers try to trick us into giving away data that we’re not supposed to share with them.
Typically, they’re after information such as payment card details, usernames and passwords, or even those multi-factor authentication (MFA) codes that are supposed to keep us safe because they’re valid for one use only.
But if you type your password and your current MFA code into a fake website by mistake, you provide attackers with a short window of opportunity to masquerade as you.
So, adopting MFA doesn’t magically solve all your phishing problems, not least because today’s crime gangs either automate attempts to login as soon as a stolen MFA code arrives, before it expires, or have a “call center” of human operators working shifts to abuse those codes by hand, or both.
Although having humans on call to process stolen MFA codes manually takes a bit more organization than just using automated scripts, it’s still worth it for the criminals.
Their crooked shift workers only get notified when a potential victim has already dug themselves in deep, and they can apply human levels of intelligence and insight to adapt fluidly to any changes in the login process that the target site might have implemented to throw fully automated tools off the scent.
Just to be clear: MFA does improve your cybersecurity situation, not least because it makes your password alone insufficient for attackers. They need to get your password, and then also to get hold of an MFA code that they typically only have a few minutes to abuse. That does make things harder for them, so don’t let the fact that MFA isn’t a “silver bullet” security solution put you off using it.
Phishers typically use one or more of a number of psychological tricks to lure you into handing over information, such as:
Most phishing attacks arrive by email, because that’s the online communication tool that’s easiest to abuse in bulk, allowing attackers to send millions or even tens of millions of manipulative messages all around the world in just a few minutes, at a cost that’s close to $0.
These fraudulent emails usually include a clickable web link that lands you on a bogus web page, where the crooks put you in front of a genuine-looking login page or payment screen, and then lure you into filling in personal information such as card numbers or passwords before you realize that it’s not the real deal.
Web pages are a popular destination for what’s known as the call-to-action in a phishing attack, because new websites are cheap and easy to set up, and can automatically fleece hundreds of potential victims at the same time.
Also, easy-to-use open-source tools exist that can create clones of legitimate sites in just a few seconds.
These tools automatically copy fonts, logos, graphics, stylesheets, scripts and content to produce pixel-perfect replicas of the real site, while also inserting hard-to-spot booby traps to catch out the unwary.
They are generally pitched as “for research purposes only,” or for use by corporate security teams looking to test their staff with simulated phishing attacks, but they are just as useful for greedy cybercriminals who don’t have the technical ability or the inclination to do the job themselves.
Not all phishing attempts rely on rogue websites, of course, not least because some criminals are determined to avoid asking you to click on a link at all, in a deliberate effort to seem “unphishy” simply by doing something a bit different.
Some scammers may urge you to call a phone number instead, or to reply to an instant message for further information.
They may even play a much longer game by joining an online forum to which you belong, building up a measure of trust within the group, and then pitching the “good services” of someone who is part of their scamming gang, as we reported recently in our article IC3 scam-reporting service abused by scammers.
As the above IC3 scam shows, given that it starts with online forum posts, not all phishing attacks are initiated by email.
After all, email is comparatively easy for companies to filter or to quarantine (meaning that it’s delayed to give time for it to undergo more careful checking) before it lands in the inboxes of their staff.
And we’ve become so used to email as vehicle for spams, scams and phishing campaigns that other forms of contact somehow feel safer in comparison, even though scammers know how to abuse them, too.
In fact, phishing scams that rely on alternative forms of initial contact have led to a slew of punning names that remind you how they are conducted.
Some commentators object to these names because they think they sound corny and “made up,” though of course that’s exactly what they are, with the intent of providing a short, memorable, and self-descriptive reminder of how they work:
Smishing is not as prevalent as email-based phishing, primarily because sending tens of millions of unwanted text messages takes more work (and costs more money) than sending unsolicited bulk emails, but that’s cold comfort to people whose mobile numbers have found their way onto smishing lists that are readily available to cybercrime gangs.
Nevertheless, despite (or perhaps because of) its old-fashioned simplicity, smishing can be surprisingly effective.
Firstly, all mobile phone numbers can receive SMSes, whether the user has the latest messaging or social media apps installed or not.
Secondly, the routine use of SMSes for legitimate notifications has led us to accept them as expected, and even as useful, in our everyday lives.
Thirdly, SMSes are of necessity short, and therefore commonly follow an abbreviated, easy-to-copy style that criminals can imitate believably. Text messages generally don’t sweat the small stuff that non-native language speakers often struggle with, such as business greetings, pleasantries, and sign-offs.
Fourthly, again thanks to the “short” in SMS, text messages that include web links very commonly use link shorteners that we have become accustomed to accept and use, even though they obscure the true destination of the link.
Fifthly, and perhaps most significantly, smishing attacks – like the quishing tricks we mentioned above – inevitably unfold on your mobile device. Any links you tap on are opened in the cramped confines of your mobile browser, where security warning indicators are simply not as easy to see and take account of as they are in a laptop or desktop browser.
Now read 🔗Part 2, where we dive into a real-world smishing scam that we received ourselves, on a personal mobile phone.
We start with the SMS that contained the web-based lure, go under the hood to observe the machinations of the data-stealing website that the criminals set up, and see how they got hold of personal data, potentially including payment card numbers, and multi-factor authentication (MFA) codes.
You’ll learn about a range of tricks that the criminals use, including:
You can find plenty more helpful advice by clicking on the images that link to the previous articles we mentioned above․․․
․․․and don’t forget to head to 🔗Part 2 to learn more about online scams and how to avoid them!
Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of crocodile by Shelly Collins via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.