phishing scams

Phishing Scams and SMShishing Scams

Russell W. Gilmore, CISSP, CISM, EnCE Computer Forensics, Mobile Forensics


phishing scams

Image by Mohamed Hassan from Pixabay

In today’s technology-based world, phishing email scams have become commonplace. Whether simple or complex these scams are often effective. Both companies and individuals fall victim to phishing scams leading to the loss of billions of dollars annually.

Phishing scams typically involves a cybercriminal impersonating a legitimate company or individual. They attempt to gain access to personal or private information such as account numbers, passwords, client lists, etc. Many phishing scams also involve an attempt to solicit funds in the form of wire transfers or payment cards. In one recent case, a phishing scam solicited the accounts payable list for a company and also outstanding balance for each account and contact emails. Believing this was a legitimate request from a company executive, an employee sent the requested information. Weeks later the scammer began requesting payment, by email, of outstanding bills from the clients. The scammer provided a method for the payer to send an electronic payment.

Some companies attempt to combat phishing scams by providing training and education for their employees. Companies and individuals who are unable to provide or undergo this training can employ other strategies to avoid falling victim to this scam. One simple strategy is to remember “when in doubt, pick up the phone and call the sender of the email.” If the email is from a bank or company asking for you to provide your login credentials or personal information, you should call the bank or company directly before providing any information.

In recent years, this commonly known scam has evolved from emails to text messages. This variation is known as “smshishing”. Current articles on darkredding.com and threatpost.com indicate that a mobile phishing campaign targeted customers of North American banks, including Chase, Royal Bank of Canada and TD Bank. Mobile security firm Lookout believes that the scam affected nearly 4000 victims. This particular campaign, according to darkreading.com’s Jai Vijayan began in June of 2019 and is currently offline.

You can rest assured that many more scams have taken its place. In this campaign, text messages prompted the victims to divulge answers to security questions as well as providing other information including date of birth, credit-card expiration date, account numbers, usernames and passwords. The scammer crafted the text messages to appear to be coming directly from the financial institution. With mobile banking becoming more commonplace, it is understandable how a user may fall victim to this scam. A legitimate company or bank will never ask you for personal information in a text. These texts often include a link to a page that requires a login. This is most likely a fraudulent site and is only designed to steal your login information and potentially personal information.

In short, if you receive unsolicited emails or text messages asking for you to send money, click on a link, enter your account credentials or provide any personal information, ignore it, pick up the phone, and call.