Phishing scammers become more sophisticated
by Carol Thompson
As phishing scams become more sophisticated, consumers need to be more on guard when suspicious email arrives in their inbox.
Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. Social engineering schemes use spoofed emails purporting to be from legitimate businesses and agencies, designed to lead consumers to counterfeit websites that trick recipients into divulging financial data such as usernames and passwords. Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using systems to intercept consumers online account user names and passwords and to corrupt local navigational infrastructures to misdirect consumers to counterfeit websites (or authentic websites through phisher-controlled proxies used to monitor and intercept consumers’ keystrokes).
The email can purport to be from a credit card company, a bank, a department store, a government agency or even the FBI. The predators hope to entice the receiver into opening the message, push the panic button, and click a link that leads to a bogus website that’s only purpose is to steal personal information.
Despite the obvious errors in the email thousands of consumers fall prey to phishing email. The experts say the best thing a consumer can do is to telephone the company or agency listed as the sender to confirm the email.
The messages generally contain telltale signs that should raise a red flag. One of the most prominent signs, according to the Anti-Phishing Working Group (APWG), is a message is addressed “Dear customer” with no mention of the recipient’s name, however, in recent years the phishing emails have become more sophisticated, making it difficult to decipher between a legitimate message and a fake.
- Simple but dangerous: Most of us think we’re too smart to fall for phishing, but our research found some fake websites worked a whopping 45 percent of the time. On average, people visiting the fake pages submitted their info 14 percent of the time, and even the most obviously fake sites still managed to deceive three percent of people. Considering that an attacker can send out millions of messages, these success rates are nothing to sneeze at.
- Quick and thorough: Around 20 percent of hijacked accounts are accessed within 30 minutes of a hacker obtaining the login info. Once they’ve broken into an account they want to exploit, hijackers spend more than 20 minutes inside, often changing the password to lock out the true owner, searching for other account details (like your bank, or social media accounts), and scamming new victims.
- Personalized and targeted: Hijackers then send phishing emails from the victim’s account to everyone in his or her address book. Since your friends and family think the email comes from you, these emails can be very effective. People in the contact list of hijacked accounts are 36 times more likely to be hijacked themselves.
- Learning fast: Hijackers quickly change their tactics to adapt to new security measures. For example, after we started asking people to answer questions (like “which city do you login from most often?”) when logging in from a suspicious location or device, hijackers almost immediately started phishing for the answers.
Experts recommend consumers remain vigilant and report any suspicious email to their server or the authorities.
Image: Flickr: Pieter Musterd