The Phishers Greatest Ally
In an effort to keep our customers up to speed on the latest trends when it comes to fraud detection and prevention, ThreatMark presents our phishing blog series: Don’t Take the Bait! Follow along as we take you through the holidays, the busiest time for fraudsters, and help you educate your customers on the most common phishing hooks that can easily be avoided.
Greetings friends! And happy holidays. We hope you’re enjoying the magical season and playing it safe with your Santa shopping. This week brings us to one of the most crucial components of fraud prevention. Any guesses what the weakest link is when it comes to even the most sophisticated phishing scam? If you’re looking for a hint, you don’t have to look far. In fact, all you really have to do is take a glance in the closest mirror.
Solving For the Weakest Link
Human Tendency for The Win
Believe it or not, it’s true! When it comes to just about any phishing scam, the most common threat begins and ends with the human element. And we say this with absolutely zero judgment. It’s not the easiest thing being human, after all. We don’t have a plethora of code continuously telling us what to do. Instead, our minds are constantly consumed with the busyness of life. And for good reason. But because of the inevitable squirrel syndrome that typically accompanies our human tendency, we happen to be any fraudsters greatest ally.
AI has it easy. It has one job, and it knows how to do it exceptionally well. Now, take the average human who wears a multitude of hats on any one given day, is taxed with job responsibilities, family obligations, life goals and desires, and breaks for 5 distracted minutes to check their personal email when, low and behold, their go-to Christmas store is asking for them to verify their account credentials to ensure their packages get shipped on time. So, they frantically click the link to verify (now with only 2 minutes left before they have to switch hats) and there you have it — a victorious fraudster with terribly bad karma.
And that really is all it takes – five distracted minutes in the middle of a tremendously busy day – which is why educating your customers on the most common flags to look for is crucial to protecting their data and, consequently, your brand. That being said, below are some of the most common scams to watch out for this holiday season.
Rudolph’s Red Flags
Scams to Watch for This Holiday Season
Phishing’s ultimate goal is to exploit human psychology. Fraudsters count on the fact that you’re going to be distracted and that your foundational filter is a trusting one. This is a reality that can be easily inferred from the following real-life scenarios:
- Bogus Blocking: In this scenario, a phishing email will be sent warning the potential victim that their email account is about to be blocked due to a pending termination request they supposedly received. The call to action here will be for you to click on a malicious link to reactivate your account. Another common red flag here is sense of urgency. Hackers will often say something like “your account will be terminated in the next few hours if you do not cancel this termination request now.” If you don’t remember sending the request, don’t click the link!
- Cancellation Cacophony: Here, an email will be sent alerting you that your subscription to a popular service is about to be canceled immediately if you don’t click on the attached link to reverse the cancellation request. The call to action will be something like “if you didn’t raise a cancellation request, click here to terminate it immediately.” And, of course, clicking on the malicious link will result in dangerous malware.
- Jingle Jobs: This is one of the most popular ones since the COVID-19 pandemic. Here, unsuspecting victims will receive an email that their profile has been carefully selected for a remote job opportunity they never even applied for and sounds way too good to be true. As is the case in just about every scenario, if it seems too good to be true then it probably is.
- Deactivation Devastation: In this example, an email from one of your payment facilitators arrives telling you that your account is about to be deactivated unless you update your credit card information. Online digital wallets such as PayPal, WePay and the like are common brand hijacks for these.
- Credit Compromise: The sneaky fraudster here knows the victim made a recent purchase at Apple, for example, and sends an email disguised to look like it is from Apple customer support. The email tells the victim their credit card information may have been compromised as a result of their recent purchase and they need to confirm their credit card details to protect their account.
- Social Solicitation: Friends don’t let friends get hacked! If you receive a friend request from your Facebook platform that seems legitimate but then they send you a message immediately to download a video, don’t do it! A lot of these friend request are hackers in disguise trying to get you to click on any link they can to leak infectious malware into your computer.
- Leary Logins: Here, the perpetrator creates a fake Google Docs login page and send a phishing email asking you to log in to a fake website. The call to action for this one might look something like this: “We’ve updated our login credential policy. Please confirm your account by logging into Google Docs.” Don’t take the bait!
- Irreconcilable Invoices: In this example, someone tries to trick the victim into paying for a product/service they did not order or receive. Hackers may send an invoice that looks official and even claims to be from a company the victim knows or trusts. If you don’t remember purchasing it, don’t pay for it!
- Simulated Support: This one goes just like it sounds. The employee victim receives an email from corporate IT asking them to install new instant messaging software. The email looks real; however, a spoofed email address is used and looks something like this: support@threatmark.com instead of internalsupport@threatmark.com. Should the victim install the messaging software, ransomware will be installed on the company network.
- Unnecessary Upgrades: The victim here receives a message from a well-known email provider (Gmail or Outlook, for example) urging them to update their account or lose their services. The goal here is to appropriate the victim’s login credentials and access their email account illegitimately. To prevent this from happening, the victim should not click on any malicious links in the message or enter personal information into the fake sign-in page.
Outsmart Intent
Get Them Before They Get You
Phishing is a type of social engineering attack in which fraudsters try to trick victims into disclosing sensitive data (such as login credentials or credit card information) or persuade them to install malicious software with intent to hack account information they can then use against them. Most cyber criminals pose as trustworthy entities, and the holidays are their favorite time of year!
ThreatMark understands this and we are at the forefront of the phishing dock, with the Behavioral Intelligence necessary to keep your waters clean and your customers safe. Our Cyber Fraud Fusion Center (CFFC) provides the market leading expertise, tools, and threat prevention necessary to stop scams before they even reach your customers!
Why fight fraud when you can stop it before it even starts?