16 minute read
Common Types of Phishing Attacks
Email Phishing | Phishing emails top this list as one of the oldest and most commonly used types of phishing attacks. Most attempts use emails to target individuals by pretending to come from a trustworthy sender. Dedicated hackers will copy the exact email format from a legitimate company and include a malicious link, document, or image file that can trick the user into "confirming" their personal information or automatically download malicious code.
Spear Phishing | Spear phishing attacks are a more targeted approach to email phishing that focuses on specific individuals and organizations. Using open-source intelligence (OSINT), criminals can gather publicly available information and target entire businesses or sub-departments. They may trick users into believing the email is an internal communication or from a trustworthy source due to access to personal information. (ex. @upgaurd.con instead of @upguard.com)
Advertisement
Email Spoofing | Email spoofing is when a scammer creates try and fool users into believing they are legitimate.
Whaling | If spear phishing emails target specific groups or individuals, whaling is the practice of targeting high-level executives. Also known as CEO fraud, whaling attacks are typically much more sophisticated, relying on OSINT, plenty of research into the company's business practices, and even a deep dive into social media accounts. Because the goal is to successfully dupe the executive, the emails are usually extremely fluent in business communications with near-perfect English. (ex. @upgaurd.con instead of @upguard.com)
Business Email Compromise (BEC) | A business email compromise is similar to whaling, but instead of attempting to trick the executive, it impersonates them. Criminals will impersonate or obtain access to an executive email account with decision-making authority and send internal requests to lower-level employees.
Voice Phishing (known as "vishing") | Vishing is when a scammer calls your phone number in an attempt to steal information or money. New sophisticated technology allows criminals to spoof caller IDs and pretend to be from a trusted source. Typically, the caller will create a sense of urgency to appear authoritative and prevent the recipient from thinking clearly. (ex. Friend or family member is in trouble while traveling outside the country)
Question all links in emails and texts | Shortened URLs, Hyperlinked text, URL misspellings.
Image-Based Phishing | Image-based phishing usually finds itself in the content of a phishing email.
SMS Phishing (Smishing) | SMS phishing, or "smishing," is similar to vishing, but instead of calling, scammers will send SMS text messages with links or attachments.
Pop-Up Phishing | Although most people have an ad or pop-up blocker installed on their web browsers, hackers can still embed malware on websites.
Social Media Phishing | Aside from email, social media has become a popular attack vector for phishing attacks. With so much personal information displayed through social media, attackers can easily use social engineering attacks to access sensitive data.
Angler Phishing | Attackers can take social media phishing to another level by posing as customer support staff in an angler phishing attack. The scammers will create a fake account and contact a disgruntled user they found through comments or posts on a social media account.
Evil Twin Phishing | An evil twin phishing attack creates an unsecured Wi-Fi hotspot access point that baits unsuspecting users into connecting. Once connected, all inbound and outbound data can be intercepted, including personal data or financial information. Hackers can also prompt the users to visit a fake website portal in hopes the user will provide valuable authentication details.
Searching the Web (Google Searches) → Know the difference between Paid Search & Organic Search results. Scammers will buy Search Terms to deliver Paid Search Results to show on top of page 1.
Website Spoofing | Attackers will create an entirely fake website in a website spoofing attempt to steal your personal information. A well-made fake website will contain the same elements as the original, including logos, text, colors, and functionality. Finance, healthcare, and social media websites are commonly spoofed because they often contain your most important information.
Watering Hole Phishing | Watering hole phishing is a tactic that targets one particular company or group of people by infecting a third-party website they frequently visit. The attackers find and exploit a vulnerability on the website, infect the site with malware, and then bait users by sending emails directing them to the site.
Man-in-the-Middle (MITM) Phishing | A man-in-the-middle phishing attack is when an attacker intercepts and alters a communication chain, effectively becoming the "middleman." The attacker then controls the communication flow and is responsible for sending and receiving all messages. While the attacker is intercepting the data, he can manipulate it to gain personal information from both parties.
1. What is identity theft?
2. How can you spot a phishing scam?
3. What should you do if you receive a phone call from a scammer?
4. How can you protect yourself from social media scams?
5. What red flags should you look for when considering an investment opportunity?
6. What are some common tax scams?
7. What are the warning signs of a lottery or sweepstakes scam?
8. What steps should you take if you suspect you have been a victim of identity theft or fraud?
9. How can you safeguard your personal information to prevent identity theft?
10.What are some common tactics that scammers use to trick people?
FAQ | Answers
1. What is identity theft?
Identity theft is a crime in which an individual fraudulently uses another person's personal information, such as their name, Social Security number, or credit card information, without their permission in order to commit financial fraud or other crimes. This can include opening credit card accounts, taking out loans, or making purchases using the stolen information. The impact on the victim can be severe, including damage to their credit score and the need to spend significant time and money to restore their identity.
2. How can you spot a phishing scam?
There are several signs that an email or message may be a phishing scam. Some of these include:
● Unexpected or unsolicited requests for personal information: Legitimate organizations will not typically ask for sensitive information, such as passwords or Social Security numbers, via email or message.
● Urgent language or a sense of urgency: Scammers may use language that urges you to act quickly or threatens negative consequences if you don't, in order to pressure you into providing information or clicking on a link.
● Requests to verify account information: Legitimate organizations may ask you to verify your account information, but they will typically do so through a secure portal or by asking you to call them directly.
● Unusual or suspicious email addresses: Scammers may use email addresses or URLs that are similar to those of legitimate organizations, but with slight variations, in order to trick you into thinking the message is legitimate.
● Grammatical errors or awkward language: Phishing emails may contain spelling and grammar errors, or use awkward or stilted language.
● Requests to download software or open attachments: Legitimate organizations will not typically ask you to download software or open attachments from an unknown sender.
3. What should you do if you receive a phone call from a scammer?
If you receive a phone call from a scammer, there are several steps you can take to protect yourself:
● Hang up: If you suspect the call is a scam, do not engage with the caller. Simply hang up the phone.
● Don't give out any personal information: Scammers may ask for personal information such as your Social Security number, credit card number, or bank account information. Do not give out any personal information over the phone.
● Don't trust caller ID: Scammers can use technology to make it appear as if they are calling from a legitimate organization or a familiar number, so don't trust caller ID.
● Report the call: If you receive a scam call, you can report it to the Federal Trade Commission (FTC) by visiting their website or calling 1-877-382-4357.
● Block the number: If you know the number of the scammer, you can block it on your phone, so you won't receive future calls from that number.
● Be aware of IRS scam calls: Be aware that scammers may impersonate the IRS, calling and demanding payment, threatening arrest if you don't pay The IRS will never call to demand immediate payment or ask for credit or debit card information over the phone.
It's important to remember that scammers can be very convincing and persistent, so it's important to be vigilant and protect your personal information at all times.
4. How can you protect yourself from social media scams?
There are several steps you can take to protect yourself from social media scams:
● Be cautious of unsolicited messages or friend requests: Scammers may send you a message or friend request from a fake account in order to gain your trust and trick you into providing personal information or clicking on a link.
● Be wary of clickbait or too good to be true offers: Scammers may use social media to promote fake deals or offers that are too good to be true. Be skeptical of any offer that seems too good to be true, and do your research before providing any personal information or clicking on a link.
: Scammers may use social media to gather personal information such as your name, address, and phone number in order to commit identity theft or other crimes. Keep your personal information private by adjusting your privacy settings and only sharing information with trusted friends and family. Beware of sharing photos in real time (on vacation = not home), photos of your kids, birthdays, age. Share directly not with the world.
● Be cautious of links or attachments: Scammers may use social media to send you links or attachments that contain malware or phishing scams. Be cautious of clicking on links or attachments from unknown sources, and do not download any software or open any attachments from unknown senders.
● Be aware of imposter accounts: Scammers may create fake accounts that impersonate friends or family members in order to trick you into providing personal information or money Be aware that imposter accounts often have few followers and few posts.
● Use two-factor authentication: Many social media platforms offer two-factor authentication, which requires a code sent to your phone or email in addition to your password to log in. Enable this feature to add an extra layer of security to your account.
It's important to be vigilant and to verify the authenticity of the source before providing any personal information or clicking on any links on social media.
5. What are the red flags when considering an investment opportunity?
When considering an investment opportunity, it is important to be aware of red flags that may indicate a potential scam or fraudulent activity Some of these red flags include:
● High returns with little or no risk: Be wary of investment opportunities that promise high returns with little or no risk. Legitimate investments generally come with some level of risk, and there is no such thing as a risk-free investment.
● Pressure to act quickly: Scammers may use pressure tactics to get you to invest quickly before you have a chance to research the opportunity or seek professional advice. Be wary of any investment opportunity that requires you to act quickly or has a deadline to invest.
● Unsolicited offers: Be cautious of unsolicited offers of investment opportunities, especially those that come through email or social media.
● Vague or confusing information: Be wary of investment opportunities that are not transparent about their fees, past performance, or the nature of the investment. If an investment opportunity is not clear about how your money will be used or what the risks are, it may be a scam.
● Unlicensed sellers: Investment opportunities should be offered by licensed professionals. Be wary of anyone who is not licensed to sell securities or is not registered with the proper regulatory agency.
● Guaranteed returns: Be cautious of any investment opportunity that guarantees a specific return. Legitimate investments do not guarantee returns and past performance is no indication of future performance.
● Offshore investments: Be cautious of investment opportunities that are based in other countries, as it can be harder to research the opportunity or to recover your money if something goes wrong.
It is important to be vigilant and to do your due diligence before investing your money, research the company, the management, and the industry. Seek professional advice, and invest only what you can afford to lose.
6. What are some common tax scams?
There are several common tax scams that individuals and businesses should be aware of:
● Phishing scams: Scammers may use email or phone to impersonate the IRS or other government agencies in order to trick you into providing personal information or money The IRS will never initiate contact with taxpayers via email or phone to request personal or financial information.
● Fraudulent tax preparers: Scammers may pose as tax preparers in order to steal your personal information or money Be wary of tax preparers who promise larger refunds than other preparers or who charge a percentage of your refund as their fee.
● Identity theft: Scammers may use stolen personal information to file a fraudulent tax return and claim a refund in someone else's name.
● Offshore tax havens: Scammers may encourage individuals to evade taxes by claiming false deductions or hiding money in offshore accounts.
● False claims for tax credits: Scammers may encourage individuals to claim false tax credits, such as the fuel tax credit or the earned income tax credit, in order to receive a larger refund.
● Business email compromise (BEC) Scam: Scammers may use BEC to request W-2 information, employee personal information, or wire transfer information.
● Phone scams: Scammers may use the phone to impersonate the IRS or other government agencies and threaten arrest or other legal action if you don't pay taxes that you don't owe. Let your voicemail take the call!
It's important to be vigilant and to protect your personal information, be aware of the tactics scammers use and to verify the authenticity of the source before providing any personal information or money, especially if you're unsure of the legitimacy of the request.
What are the warning signs of a lottery or sweepstakes scam?
Lottery and sweepstakes scams are a common type of fraud in which scammers use various tactics to trick individuals into paying money or providing personal information in order to claim a prize that doesn't exist. Some warning signs of a lottery or sweepstakes scam include:
● Unsolicited contact: Scammers may contact you by phone, email, or mail and inform you that you have won a prize or a lottery, even if you never entered the contest.
● Requests for money or personal information: Scammers may ask for money or personal information, such as your bank account or Social Security number, in order to claim your prize or to cover taxes or other fees. Legitimate lotteries and sweepstakes do not require you to pay any fees to claim your prize.
● Pressure to act quickly: Scammers may use pressure tactics to get you to act quickly, such as saying the prize will expire if you don't claim it right away or that you need to pay a fee to claim your prize.
● Suspicious phone numbers or email addresses: Lottery and sweepstakes scammers may use phone numbers or email addresses that are similar to those of legitimate organizations but with slight variations to trick you into thinking the message is legitimate.
● Requests for bank account or credit card information: Scammers may ask for your bank account or credit card information to "verify" your prize winnings, or to take out a fee or taxes.
● Requests for a fee to claim your prize: Scammers may ask for a fee to claim your prize, such as for taxes, shipping and handling, or processing fees. Legitimate lotteries and sweepstakes will not ask you to pay any fees to claim your prize.
● Requests to wire money: Scammers may ask you to wire money, especially international wire transfer, in order to claim your prize. Legitimate lotteries and sweepstakes will not ask you to wire money to claim your prize.
It's important to be vigilant and to research any lottery or sweepstakes that you are not familiar with, and never give out personal information or money to someone you don't know or trust.
8. Taking Action | Steps to take if you suspect you have been a victim of identity theft or fraud?
If you suspect that you have been a victim of identity theft or fraud, there are several steps you should take to protect yourself:
● Contact your financial institutions: Contact your bank, credit card companies, and any other financial institutions where you have accounts. Inform them of the fraud and request that they freeze or close any accounts that have been compromised.
● Monitor your accounts: Check your account statements and credit reports regularly to ensure that no unauthorized transactions have taken place.
● File a police report: File a police report with your local law enforcement agency This will provide you with an official document that you can use to prove that the crime occurred.
● Notify the Federal Trade Commission (FTC): You can file a complaint with the FTC at IdentityTheft.gov, or by calling 1-877-438-4338. Learn more about identity theft at ftc.gov/IDTheft. And, if identity theft happens to you or someone you know, visit IdentityTheft.gov to report it and get a personalized recovery plan.
● Place a fraud alert or credit freeze: You can place a fraud alert on your credit report, which will notify you if anyone attempts to open an account in your name. You may also want to consider placing a credit freeze on your credit report, which will prevent anyone from opening an account in your name without your permission.
● Review your medical records: If you suspect medical identity theft, contact your health care providers and insurance companies to review your medical records for any unauthorized treatments or charges.
● Review your tax records: If you suspect tax identity theft, contact the IRS Identity Protection Specialized Unit at 1-800-908-4490.
● Keep track of all your contact: Keep a record of all the contact you have with the organizations you have contacted, including the date, the name of the person you spoke with, and the outcome.
It's important to act quickly. It can take a significant amount of time and effort to resolve the issue and restore your identity.
9. Safeguarding your personal information from identity theft!
There are several steps you can take to safeguard your personal information and prevent identity theft:
● Protect your Social Security number: Your Social Security number is a key piece of personal information that identity thieves need to open bank accounts or credit card accounts in your name. Be careful with who you give your Social Security number to, and never carry your Social Security card in your wallet or purse.
● Use strong and unique passwords: Make them complicated! Use strong and unique passwords for all of your online accounts, and never use the same password for multiple accounts.
● Keep your personal information private: Only share your personal information with trusted organizations or individuals. Be cautious of unsolicited phone calls, emails or messages asking for your personal information.
● Use security software: Use security software such as antivirus, anti-spyware, and firewall software to protect your computer from malicious software and hackers.
● Be wary of phishing scams: Be cautious of unsolicited phone calls, emails or messages that ask for your personal information, especially if they ask for your password or other sensitive information.
● Secure your mail and trash: Always shred any sensitive documents before discarding them, and use a locked mailbox for outgoing mail. Sign up for USPS Informed Delivery
● Use a credit freeze: A credit freeze will prevent anyone from opening a credit account in your name without your permission. Unfreeze as needed 3+ days in advance.
● Monitor your accounts regularly: Check your credit reports and bank statements regularly to ensure that there are no unauthorized transactions.
● Use two-factor authentication: Two-factor authentication adds an extra layer of security to your online accounts by requiring a code sent to your phone or email in addition to your password to log in.
10. Common tactics that scammers use to trick people
● Impersonating a trusted source: Scammers may impersonate a government agency, financial institution, or other reputable organization in order to gain trust and trick people into providing personal information or money.
● Creating a sense of urgency: Scammers may use language that creates a sense of urgency or pressure, such as threatening legal action or saying that a prize will expire if you don't act quickly, to trick people into making hasty decisions.
● Offering a deal that is too good to be true: Scammers may offer a deal that is too good to be true, such as a high-return investment or a free vacation, in order to trick people into providing personal information or money
● Using social engineering: Scammers use social engineering tactics such as phishing, pretexting, baiting, and scareware to manipulate people into giving away sensitive information.
● Using fear, guilt or greed: Scammers may use fear, guilt or greed to manipulate people into giving away money or personal information.
● Using a fake website or phone number: Scammers may create a fake website or phone number that looks similar to a legitimate one in order to trick people into providing personal information or money Google Voice is a common tool used by scammers.
● Using a scam caller ID: Don’t trust caller ID. Scammers can use technology to make it appear as if they are calling from a legitimate organization or a familiar number, so as to trick people.
● Using a scam email or message: Scammers may use email or message to trick people into providing personal information or money, or to download malware or open an attachment that will compromise the security of their device.
Check List | Minimize Your Exposure
Don’t Share Too Much: In Person • On The Phone • Through Email * Especially Social Media
Have Long, Strong, and Unique Passwords → Use Password Management Tools
Perform software updates for all devices especially laptops and phones: OS updates patch vulnerabilities, potential exploits Look up NSO Pegasus, “Zero Days”, or “Zero Click”
Secure all Computer & Devices
○ Latest antivirus, malware, OS updates
○ Hard to decipher PINS and PASSWORDS
○ Never share over email or SMS or any digital channel
○ Use a devoted email for all shopping/transactions
○ Be careful with letting remote “customer service” representative take control of your computer
Freeze Your Credit with all three credit agencies (Equifax, TransUnion, Experian)
Never “authenticate” yourself to anyone who contacts you and asks you to confirm who you are.
Set privacy controls on all social media. Don’t overshare, and don’t participate in polls or quizzes online, they could be phishing for answers to your security questions
Use 2-factor authentication everywhere you can
Secure all documents Shred and destroy as needed
Beware what you carry with you
○ Never carry your SSN or your kids
○ Never carry your medicare card → Take a photo then redact all #’s except the last 4 digits.
○ Limit the credit cards you carry
Check List | Monitor Your Accounts
Regularly generate your credit report from all 3 credit agencies (AnnualCreditReport com)
Set up bank & credit card transaction alert notifications
Consider credit monitoring services Your insurance company and/or business may offer this service
Check List | Manage the Damage
Help may be available from the Insurance Carrier, Financial Services Provider, or Employer. They may offer liability and/or identity protection services
Have a contact list of companies, credit accounts, bank accounts, etc as a reference sheet in case your identity is stolen.
