Phishing Scams: How To Avoid Becoming a Victim

It happened to around 470 victims, and it could happen to you too!

It is no longer news that around S$8.5 Million had been stolen from these close to 470 victims of bank theft across Singapore, via a spate of SMS scams. The series of SMS phishing scams happened in December, and some of the victims include a specialist from the eCommerce sector and even a software engineer.

If individuals from these tech-savvy backgrounds could fall prey to these phishing scams, there is no doubt that anyone is vulnerable. 

Phishing, or the harvesting of login information via fraudulent methods, is by no means a new mode of scamming and robbing people. One of the first phishing techniques was actually developed and reported as early as 1987. 

The term “phishing” was coined by a spammer and hacker Khan C. Smith, as he stole passwords and financial details of America Online (AOL) users via his hacking tool, AOHell. Since then, “phishing” has come to describe the virulent, malicious, and even malevolent annoyance that is spam email, and now, SMS texts, that have the capability of stealing a person’s financial information, if they’re gullible enough to fork these over. 

From AOHell targeting AOL, down to the rise of millions of spam, and phishing scams across the growth of the internet, phishing has crossed over to SMS. 

Phishing is merely “annoying” if you’re wise enough to recognize and dodge the scheme. If you had been too trusting and believed the whole narrative they deliver, just like the rest of the 470 bank fraud victims, your hard-earned savings could be wiped out in a matter of seconds by a ruthless, conscience-less mastermind out there.

Experts recommended that in order to mitigate this massive security and financial liability, links in SMS from banks, or even using SMS as a second layer of “protection” should be done away with. 

As the Singaporean financial industry scrambles to protect and even reimburse their clientele, individuals and corporations must also learn how to be on guard before anything of this sort happens to them and their companies. 

Photo by Mikhail Nilov via Pexels

Email Remains Largely Unchanged, So Does Phishing

The widespread security and financial scandal happened via SMS, but as mentioned, an older phishing vulnerability was already in place: Phishing via email. 

An email has remained almost unchanged over the decades. Email providers admit that the protocol has remained the same over the years: SSL, TLS, POP3, IMAP, and SMTP. 

In spite of some snazzy innovations that make email just a bit cooler, just a bit smarter, just a bit powered by AI, it has remained largely unchanged. And the system of targeting email users has remained largely unchanged, as well. 

The system is simple: 

• Make an email look exactly like an email from a trusted company.
• Lead the user to a page that would make them enter their details for certain institutions, banks most especially.
• Grab those details. 
• Siphon the victims’ finances using those details to access these.

 

The power of phishing remains largely in its capacity to elicit trust from the end user. The more convincing an email looks, the closer it looks to the company or institution they are trying to spoof, and the easier it is for malevolent operators and hackers, to steal the keys to their victims’ wealth.

The system works, over and over, and this is why it has endured over the decades.

SMS for Individuals, Email for Individuals and Corporations

SMS was able to target individual banking clients and siphon out their information via links embedded in the messages. While the scheme can still apply to corporate accounts, email is a more known way to target business entities with a phishing scam. This is because a domain can belong to a company, and as soon as hackers, scammers, and spammers can get ahold of the emails in a domain, they can target everyone within the organization.

Malevolent entities can also target specific departments or roles in a company. 

These are the two types of phishing that target specific departments or roles: 

• Spear Phishing can target specific individuals who have access to financial information. There have been known attack campaigns targeting accountancy and audit firms, as well as financial departments within a company, to gain access to sensitive information.
• Whaling and CEO Fraud targets senior-level executives in a company. While the success rate is reportedly low, there are still cases where tens of millions of dollars were lost because of a successful phishing campaign. 

 

Where Do We Go From Here? 

Now we know that phishing scams happen and that they could happen to you. It could happen to your company. It could even happen to your CEO. So where do we go from here? 

1. Educate Yourself. 

• Know what a Phishing Email Address looks like. In our Knowledgebase Article “Keeping Secure Email Habits,” you will see how scammers’ email addresses are formatted. When you check the source of the email and the email address looks like one of the emails we pointed out, delete the email immediately and don’t click anywhere on the email body. This ensures that you won’t download any malicious programs or ransomware that could harvest your personal or sensitive information even without your participation.
  

 

• Know what a Phishing Email looks like. Just to be on the safe side, use your personal or generic email, like a Gmail or Yahoo email. Check your Spam folder for one of those offers that you didn’t ask for. To be even safer, open the email via a Linux installation. You can use a Linux LiveCD or USB if you don’t have Linux installed. The reason why we recommend using Linux is that if there are scripts embedded in the email, it will not automatically inject itself into your browser or download itself into your PC. Take a quick look at the way the Phishing Email has been formatted, take screenshots if you want to remember it better, and then immediately delete it. Familiarizing yourself with a Phishing Email’s format will allow you to spot and recognize it faster, allowing you to just automatically delete one in the future if it ever happens to land in your Inbox, and not just your Spam folder.
  

 

• Be able to distinguish between a Phishing domain and a legitimate domain. Of course, everyone knows what www.domain.com looks like. But strangely, when people get emails, those who fall prey to phishing scams don’t seem to pay attention as to whether the emails lead to www.legitimatebusiness.com or www.somegibberishdomainhostingaformthatwilllethackersstealyourlifesavings.com. Of course, we’re being a little facetious here, but it should be muscle memory that when you click through an email, you must take a quick look at your browser’s address bar in order to verify whether you’re on the right website or not. If that’s not yet a habit for you, you should start practising it until it becomes second nature. 

Fortunately, phishing scams are usually hosted on some long, ill-spelt domain, and some even have gibberish letters on them. Some domain formats don’t make sense. Spammers, scammers, and hackers take it for granted that their targets are gullible and won’t verify the domain, so they don’t even bother to buy better domains. So don’t focus on the form you were led to fill out. Don’t even start typing anything on it. Don’t be quick to fall for the narrative that the phishing email or even SMS tries to sell you. Always, always, verify if the email address or domain the page leads to is legit. 

 

2. Know That Phishing Thrives On Social Engineering.

• “Social Engineering” is a method of getting a user’s sensitive information through the use of psychological manipulation. This may include creating a compelling narrative, such as stating that malicious individuals have gotten ahold of the target user’s credentials, thus, the target MUST enter their details, ostensibly to secure their account NOW. 

The sad thing is that this ruse was the exact narrative used on the bank SMS phishing scam scheme. 

The reason why this was compelling is that this narrative played on the user’s fears that their account was compromised, and so, the user felt like they needed to log into the portal provided by the scammers, not realizing that by doing so, they had just handed over the keys to actually being robbed, not just scammed. 

As a potential target, know that if the email or SMS sounds urgent, will ask for your credentials, or in any way capture your details, you just have to ignore the urge to give into your fears, and report the email or SMS to your bank or service provider. 

Aside from fear, other types of social engineering tactics may involve giving you offers that are too good to be true. In some other countries, announcements that they’ve won the lottery are a common phishing scam. Yet others offer jobs that pay an insane amount of money. Still, others are threats of litigation. The list goes on. If the story spun tries to get you to act to give out your information, beware and just junk the message, or take it a step further and report it to your service provider or the institution it’s spoofing. 

3. Update Your Antivirus.

• Keep a background malware scanner running, and keep it updated. Earlier, we mentioned that there’s such a thing as “ransomware.” It could come from links that you’ve accidentally clicked, or even from the very emails that we warned you about. Some emails take attacks a step further and embed malicious software inside. If you’ve accidentally clicked an email that downloaded malware into your computer, the danger is that you could trigger a ransomware attack.

A ransomware attack is when this downloaded malware locks your PC and holds it “for ransom.” It remains locked until you pay a sum to the hackers behind the ransomware. 

An updated malware scanner helps in alerting you to the presence of these and allowing you to take action to quarantine or delete the malware. 

We highly recommend using Clamwin or Malwarebytes to clean your PC, but for background scanning, Avira or Avast is perfect. 

 

4. For The Geeks: Set Up SPF Records. 

• SPF (Sender Policy Framework) is an authentication protocol that will prevent spammers from using your domain. It allows senders to name the specific IP addresses that can use your domain to send emails. This protects your company domain from being hijacked by malicious operators, discouraging them from sending internal phishing scams, spammy, or scammy emails, or even using your domain to scam other companies and individuals.

 

READ MORE: How to Set Up an SPF Record

 

5. Create Better Passwords. 

• Oddly, in the day and age where hundreds of thousands to millions of dollars are being stolen because of bad passwords and ill-thought-out cybersecurity policies, you’d think that individuals and companies would encourage the use of stronger credentials. Sadly, this isn’t the case. In spite of the massive data breaches and data dumps, the current favourite password is still “123456,” no matter how laughable it is to your friendly neighbourhood tech expert or tech support guy. Our guess is that people favour convenience, expediency, and the ease of remembering the password over actual security. But don’t be like them. Create better passwords. 
  • Use a password generator tool. This randomises letters, numbers, and uppercase/lowercase, and helps you create better credentials. 
  • Use different passwords per website or service. Using one password across everything makes you more vulnerable. Vary the credentials you use. 
  • If you use a password generator tool, and you are worried about remembering everything, use a password vault such as LastPass.

 

• Lastly, it’s never enough to use a password. Use 2-Factor Authentication as well. This ties your account to another device and ensures that you need to approve new logins. This feature will alert you when someone else tries to log into your accounts. Better yet, this blocks attempts to hack into, and even use your account, especially for nefarious purposes.

The Bottom Line

Individuals and companies cannot stop malicious operators from cooking up phishing scams and other schemes to try and rob people and organizations. Where there’s money to be had, albeit illegally, there’s always going to be an attempt to grab it. 

As individuals and companies, the best thing we can do is to protect ourselves. Take the steps we suggest to ensure secure email usage policies, be vigilant always, and avoid being the next victim. 

At CLDY, one of the five pillars of strength that we believe in is SECURITY. Our systems are backed by Singapore’s best security infrastructure, and it has features that ensure your individual or company accounts’ extra security. We will do everything to assist you in ensuring that your accounts are safe. 

Host with us today and enjoy the Simplicity, Speed, Stability, Security, and Support that CLDY offers!