Holiday phishers switch to phone scams
Scammers are now phishing for credentials through low-tech phone scams. Anxious victims threatened with financial loss might miss the obvious signs of fraud.
CyberNews already wrote about many different scammer tactics - threat actors spoof and impersonate popular brands like Amazon, the US Postal Service, Verizon, DocuSign, etc. They are sending out fake purchase notifications to make you call them so that they can extort from you as many personal details as possible.
It has also recently happened to me - I received what looked like an email from Amazon confirming that I bought a PS4. I knew I didn't, and it didn't even occur to me to call the number given in the email (it contained no links, just a phone number).
Unfortunately, that might not be the case with anxious shoppers, especially with the holiday season ahead.
Mail protection company's INKY data scientists began to see a run of these attacks toward the end of summer, and their volume has only been increasing going to the holidays. The company's engineers created a new threat model called Phone Scam to capture these attempts.
In the four months since the rollout of the Phone Scam threat model, INKY has detected 25,841 of these attacks among its customers.
Because the improved anti-phishing technology has become more effective at warding off even the most sophisticated attacks, attackers moved their technical approach down the market. And here's how it works:
This holiday season, anyone with an email address, whether they shop online or not, could receive a fake order confirmation that impersonates a retail company (e.g., Amazon, PayPal, Walmart). These emails, which instruct the recipient to call a phone number if they want to dispute a charge or resolve a fake issue, are structured around a phony order, often for an expensive item.
Because most of these attacks emanate from free-mail services (e.g., Gmail, Hotmail, iCloud), which have high sender reputations, they can pass email authentication (SPF, DKIM, DMARC).
"When a reputable company like Amazon supposedly sends a note like the one below saying it's about to ship a pricey piece of equipment that wasn't ordered, it's enough to send anybody into a panic," INKY noted. Therefore, victims might call the given number to explain they've never ordered, for example, a Samsung washing machine from Amazon.
Here's one of many phishing email examples:
By impersonating brands like Amazon, PayPal, Target, UPS, eBay, and many others, phishers hope to gain victims’ trust. Even though they may not have ordered a particular item, they are tricked into believing that the email came from a legitimate company.
Here’s another example of a phishing email. It looks like it comes from eBay, but even the friendly name looks funny: e-B.a.y. And is there any such thing as a Dell Latitude Business Gaming Laptop? Dell does sell its Latitude brand to businesses, and it does have a high-end gaming lineup called Alienware and a more modestly priced one called the G Series, but Latitudes and gaming notebooks are sold to two entirely different audiences. However, a panicking recipient of this message might not notice those small discrepancies.
Phishing emails are designed in a way that threatens financial loss - if you don’t cancel this order, your credit card will be charged. They also add a sense of urgency to call and cancel the order, and that’s why a victim’s eye may not catch the details pointing to fraud.
An emotional game
Social engineering is an emotional game. Criminals manipulate our perceptions and feelings to trick us into doing something for their benefit. They are trying to disturb our thinking process - the OODA loop. OODA is a model for decision-making and stands for observing, orienting, deciding, and acting.
When scammers call you or send you an email, they always want you to take immediate action. You will not hear them say, 'reply whenever it's convenient to you' or 'at your earliest convenience.'
Probably the best advice here is to step back and take a moment to think so that you can make an informed decision. As Malik pointed out, you can still make a mistake, but at least it will be an 'informed mistake."
There are several simple things recipients can do to stay safe.
"It's easy enough to take a closer look at a sender's email address to confirm that the message comes from the branded company that seems to be sending it. Particularly when an email triggers a sense of dread and urgency, looking at the sender's address can quickly put those fears to rest," INKY said.
Even if the recipient makes the phone call to the fake sender, it is critical not to give sensitive personal information (e.g., banking information, social security number, date of birth) over the phone.
"And just thinking for a minute before responding can reveal that the pitch makes no real sense. For example, one doesn't resolve an accidental or fraudulent charge by buying a gift card," INKY said.
Another simple remedy is going straight to the website and checking your order history, which will likely not include the one referenced in the fraudulent email.
More from CyberNews:
Subscribe to our newsletter