Phishing, when hackers disguise themselves

Cybercriminals can disguise themselves. They can contact a legit user impersonating another individual or entity to get sensitive details (personal data, passwords, credit card numbers) or deploy malware (a malicious software gaining unauthorised access to any system): it’s phishing.

Indeed, they often send messages (miming authentic email) asking to click on malicious links, which redirect to tricky webpages, where to insert login credentials or install the malware. The hackers control these web pages to hold the data inserted.

Usually, fraudulent messages are delivered by email (email phishing). The term smishing (or SMS phishing) indicates the same attempt led with SMS. Vishing (or voice phishing) uses phone calls to conduct attacks. Hackers often use bots (software applications that run automated tasks) to open up a channel with the victims.

According to fraud prevention company Vesta, in 2021, phishing schemes were the second most likely cause of data breaches and cost businesses an average of $4.65 million. In the same year, Google’s threat analysis group has reported blocking around 800 million COVID-19 related phishing emails per day.

However, some details alert that you are dealing with a phishing message and not a legit one.

Email phishing

The hackers design the email as it would be a legit one: they try to copy the logo, the style, and the signature. However, the scheme is always the same:

  1. there is a call to action: the recipient is asked to modify a password, click on a link, participate in a survey, fill out a form to pay taxes, open an encrypted excel file;
  2. there are grammar mistakes in the text of the email;
  3. the link’s domain (for example, cibercrimeclues.com) is different from the authentic one (cybercrimeclues.com), often misspelt with tiny differences, so clicking on it, the victim would be redirected to a fraudulent webpage.

Smishing (SMS phishing)

With Smishing and Vishing, the hackers often hide their original phone number to get displayed a distinct one on the victim’s device (a technique called spoofing).

They can also use burner SIMs (cheap prepaid SIM not linking to hackers’ identities). For Smishing, they often use email-to-text services (software allowing them to turn an email into a text message), not revealing any phone numbers.

Several bot services enable to send SMS to victims: the easiest to use are SMSRanger and SMSBuster.

The most popular messages are:

  1. asking a false confirmation of a recent purchase never happened;
  2. claiming an error in an account and giving steps to resolve it;
  3. texting “STOP” to unsubscribe from a pretending service.

Some clues to detect them are:

  1. odd phone numbers, such as four-digit ones;
  2. urgent call to action, such as a sudden updating request.

Vishing (Voice phishing)

With Vishing, the scammers often pretend to be calling from the government, tax department, banks, or even the police. They often use a VoIP (Voice over Internet Protocol): a service allowing criminals to create a phone number and a caller ID of their choice. They can use some software, such as BloodOTPbot, to disguise the call.

Some details that make a call suspicious are:

  1. the tone or the accent of the caller, often a foreign one;
  2. pronunciation mistakes;
  3. the pretended urgency of the phone call.

In the US, where spoofing with automated messages is dramatically increasing, the Federal Communications Commission (FCC) pushed to develop a solution. The telecommunication industry responded: the suite of protocols and procedures STIR/SHAKEN has introduced digital certificates to ensure the calling number is secure.