As computers have grown more secure, it’s become increasingly obvious to security firms and criminals alike that the most vulnerable part of any computer is its user. As a result, clever scams and social engineering schemes have become more and more prominent, displacing much of the “business” that more classical viruses and other malware once exploited. In these last few months in particular, we have seen a major uptick in the frequency and number of schemes criminals have been using to try to part people from their money or account information, but two have stood out above many others.
Types of Attacks
The first and most common scheme we’ve been seeing is a renewed push through phishing attacks. For those that don’t know, a “phishing” attack is, like the sound of the word implies, a clever scheme in which a criminal contacts you in disguise as someone (be it a person, bank, company, etc.) that you trust in order to “catch” information or money from you.
A breakdown of a classic example of one of these is a situation in which, through various means, a criminal learns that you have an account with a particular bank. This criminal then carefully fashions an email that looks a lot like the type of email this bank may send you regularly; they may incorporate imagery, logos, wording or other aspects to complete the illusion. If the scheme is particularly sophisticated or widespread, they may even make a custom email account that strongly resembles the contact account for the bank in question. They then send you an otherwise innocuous looking message, typically a request for you to log in to check your account or reset your password, and a legitimate looking link to do it. Thinking nothing of it, you follow the link, where you are greeted by a perfectly ordinary looking website asking you to sign into your bank account. After that, they’ve got your account info and you are none the wiser.
The latest phishing attacks have grown even more numerous and sophisticated. Rather than targeting bank accounts and the like directly, these scams typically target the email accounts themselves. Since everything is registered through an email account these days, the email can be used to reset passwords for any other accounts you might have, and gaining access to it is tantamount to obtaining a skeleton key for anything registered to it. The most common attacks target Comcast or AOL users with emails seemingly from Comcast or AOL themselves, frequently talking about “upgrading to a new mailbox” or something similar. Using the techniques described above, they then redirect you to a page where you log into your email account through a dummy website that feeds the entered credentials to the attackers. Before you know it, they have covertly set all of your emails to forward to their own accounts, and set up a filter for any new emails to be hidden from your view. This way, they can receive any of the password resets they perform, while you are none the wiser.
The second scheme we’ve been seeing much more of recently hasn’t necessarily grown more complex than previously, but it has become a lot more common. Using strategies similar to the phishing attacks mentioned above, a scammer will attempt to extort money out of you directly. They do this by contacting you, either by phone or email, and impersonating a representative of either one of your financial institutions or a retail store. Once they’ve convinced you of their identity, they claim that you were charged a large sum of money either by accident or without your knowledge, and then either give you the chance to dispute the charge or outright offer to refund you. With the hook out there, you may be tempted to take the bait to “reverse the charges,” however you’ll find no charges were actually incurred. The trick lies in getting you to give them your billing information in an attempt to get a refund for this non-existent charge, after which they use that information to steal money from you directly.
So how do you protect yourself from these attacks? The best way is to be wary of any emails you receive asking for information or for you to sign into something. If you’re concerned about the legitimacy of an email, always check the sender’s address. Typically, the address will very clearly be something random or unrelated to the institution contacting you. In some of the more sophisticated attacks out there, the email address will still be wrong, but it will be cleverly disguised to look legitimate. An example might be, “email@example.com” instead of, “firstname.lastname@example.org”. Did you spot the discrepancy on the first viewing? If you didn’t, that’s understandable – here the word “CORN” takes the place of “COM” at the end. Sometimes it can be difficult to notice, but it’s always going to be a change in the address. Other tips can be bad grammar or misspellings in the body of the email, though those have gotten harder to spot as these schemes have become more carefully assembled. Regardless, whenever there’s any doubt, the best option is to either contact the institution directly (where possible) through a method you know to be legitimate, or do nothing at all. Of course, if you’re ever in a situation like this one and you’re unsure of how to proceed, feel free to contact us here at RGB Computer Solutions.