In this three part series, Finance & IT professional, John Luke, warns about the different ways criminals and identity thieves try to infiltrate your access & data. Here’s how to identify these threats and protect your company and yourself.
French existential Philosopher Renes Descartes coined the philosophical statement -“Cogito Ergo Sum” – which translates “I Think therefore I am”.
This statement was made almost 400 years ago, and while it may remain true from the philosophical point of view, who “I am” and who “you are” are today worth a veritable Kings Ransom to the sinister armies of cyber criminals and real word criminals who profit immensely from the gamut of scams and crimes relating to stealing, hijacking, selling or otherwise misusing the identities, credentials or access of their innocent victims.
Read more about online criminal tactics and scams and how to protect yourself and your loved ones.
PHISHING – pronounced ‘fishing’
1. EMAIL PHISHING
The majority of phishing scams involve sending thousands of generic email requests to users, using a fake domain. The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.
For example, you could receive an email from
firstname.lastname@example.org Instead of
One email comes from Microsoft, the other the attacker.
The email address of the sender should ALWAYS be checked if you are requested to click on a link. Clicking on a malicious link could mean you are inadvertently installing Malware (malicious software) on your device. This could be a virus or malware or ransonmware.
2. SPEAR PHISHING
This is a much more targeted attack, and the attacker will potentially only send emails to a specific subset of email addresses. This could mean sending large batches of emails to a company, with the aim that a number of people will inadvertently click on a bogus link.
Attackers will do some homework on the company and devise an email that appears convincing at first sight, including the companies actual logo and colour scheme, all of which are readily available with a simple Google search.
If a company called “Zinc” had zinc.com domain, the attackers could, for example, register a domain called “Zinc-security.@zinc.com” and send out an email to all names within that company. LinkedIn can be scraped to obtain all employees who currently work in this company.
When the email is opened, the logo and colour scheme will appear an almost exact replica of the official Zinc company. The email could have links which the victim is urged to click, either as a matter of urgency or with the prospect of winning a prize. These links will lead to malicious endpoints which could release malware, tracking software or ransomware
Whaling is even more targeted than Spear Phishing. Usually aimed at more high ranking employees, executives and senior management.
Whaling emails usually:
Appear to be extremely urgent
Convey a thorough understanding of the company and mechanisms it uses to operate its business
Contain very detailed knowledge about individuals in the company.
Email to the PA of a CEO could read
“Harold requested that I reach out to you directly. He called me just before his flight to London took off, he needs you to get on to Sarah Dunne in accounts to make the payment immediately to FisherGlobal for the sum of £34,865.32. The container of material cannot clear customs until this payment is received and will incur daily a penalty fee at a rate of 10% if not paid immediately”
A few things about the content of this email:
Harold really IS on a flight to London, his PA will know this too and the senders knowledge of this adds some legitimacy to the request.
Sarah Dunne really is in accounts (information which is readily available via LinkedIn)
The some of money to be paid is not a round sum, invoices are rarely for round sums, after transport, VAT etc are added
The sense of urgency and potentially penalty fee is designed to make the reader panic and fearful that if they do not act with haste, they could be costing the company even more money.
Smishing is similar to Phishing, but instead of emails it uses SMS messages a mode of communication. The phone replaces the computer, but the same malicious links etc remain a danger.
One key thing to watch out for with the Smishing is that it may be harder to spot little things like misspellings on a mobile phone.
Vishing similarly, is where the scammers use telephone calls to speak directly with their intended victims.
Criminals could telephone a victim to pose as a their bank, but before the call can proceed they need the victim to CONFIRM their card and account details, up to and including their PIN number.
A bank will NEVER ask you for your PIN, or telephone you to ask you to confirm your details. Unsolicited offers for credit and loans are another method scammers can use.
Technology exists and is being used that will allow criminals to SPOOF the telephone number of a legitimate company. So a phone call may appear to be coming from your Bank or the company you work at.