Phishing, Vishing, and Other Scams
Banks will never contact you by email to ask you to enter your password or any other
sensitive information by clicking on a link and visiting a web site. The emails are sent
completely at random in the hope of reaching a live email address of a customer with an account at the bank being targeted.
What is phishing?
Phishing is the name given to the practice of sending emails at random purporting to come from a genuine company operating on the Internet, in an attempt to trick customers of that company into disclosing information at a bogus website operated by fraudsters. These emails usually claim that it is necessary to "update" or "verify" your customer account information and they urge people to click on a link from the email which takes them to the bogus website. Any information entered on the bogus website will be captured by the criminals for their own fraudulent purposes.
Phishing remains a popular attack technique because it works; almost one quarter of all recipients will open phishing messages and more than 10% will click on the malicious link or open the weaponized attachment. An attacker has to send only 10 messages to have a 90% probability of catching and compromising a user. That’s why more than two-thirds of all attacks that resulted in a network compromise included at least one phishing scheme.
Here are common phishing tactics:
- Pretending to be from the targeted users’ IT department
- Targeting specific users and departments
- Using weaponized documents embedded with malicious macros
- Working in conjunction with watering-hole attacks (targeting a business or organization by guessing at their frequently visited website addresses and infecting the websites with malware.)
- Here are some recommendations for combating business phishing attacks: Reduce the attack by deploying tools that monitor and analyze email, URLs, attachments and user clicks.
- Expand your defense coverage with cloud-based defenses that protect your people wherever they work.
- Use real-time threat intelligence and a view of threat activity on our systems to help you respond and recover faster.
- Deploy tools that help you understand who is being targeted and by what threats.
Click here to learn how to spot a phishing campaign.
What is vishing?
Vishing is the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Vishing using social engineering techniques.
Example of Scam:
- The criminal configures a dialer to call phone numbers in a given region.
- When the phone is answered, an automated recording is played to alert the consumer that their credit card has had fraudulent activity and the consumer should call the following phone number immediately. The phone number could be a toll free number often with a spoofed caller ID (i.e. showing the phone number of the financial company they are pretending to represent.)
- When the consumer calls the number, it is answered by a typical computer generated voice that tells the consumer they have reached account verification and instructs the consumer to enter their 16-digit credit card number on the key pad.
- Once the consumer enters their credit card number, the visher has all of the information necessary to place fraudulent charges on the consumer's card.
- The call can then be used to harvest additional details such as security PIN, expiry date, date of birth, bank account number, etc.
(Provided courtesy of Wikipedia)