We're seeing a rash of sophisticated phishing schemes ensnaring even those that are aware and alert to such scams. As we mentioned in November's CyberAdvisor letter, "Back it up," the holidays are always high season for hackers, and this year is no exception.
✓ The level of engineering and sophistication sets this season apart from phishing campaigns in years past.
This holiday season, hackers use combinations of email, SMS text messages, and telephone calls to engineer unusually sophisticated and effective schemes.
Some examples of the themes for this year's phishing campaigns include:
- The wayward package and delivery reschedule - FedEx, UPS, USPS, Amazon
- Bank, credit card, PayPal, Venmo, and Zelle payments and transactions
- AT&T and other telco account changes
- Rackspace, Microsoft, and Apple email password reset and mailbox alerts
These are next-gen hybrid variants of phishing and the combination of precisely sequenced and timed emails, texts, and incoming phone calls can fool even the most astute of us.
There are even reports of vehicles marked up as FedEx and other trusted brands as part of the criminal scheme. Some of the more elaborate ruses are known to be weeks long before consummation.
✓ Hackers know the brands and services you use, and they may even see the timing of your activity and will insert themselves at the right time in the right way.
Images of screenshots from the field:
Why can't this be stopped?
When a phishing email or text finds its way to your devices, it's because nothing evidences malicious intent that can be flagged and blocked. There isn't a virus involved (yet), and the email address or texting number hasn't yet been identified as an illegitimate actor. In cyber, it's whack-a-mole; once you find the bad guys they're gone and taken on their next gig.
Someday we will have smarter software that will contextualize and detect the threat. Still, for now, it is up to the individual and the ability to think critically about what the internet and our devices put in front of us every day.
“What’s interesting here is the entirety of the fraud was completed over the phone, and at no time did the scammers compromise my account online,” he said. “I absolutely should have hung up and initiated the call myself."
An IT tech security professional after losing $9,800 to a phishing scheme, as reported to Krebs on Security.
✓ Phishing is mostly about hacking humans versus hacking their technology.
What can you do?
Besides using security software and protection, take these practical measures to make a big difference in your state of vulnerability to cybercrime:
- Share this with your family members, friends, and co-workers; when in doubt, delete the email, text, or hang up the phone. If you think something might be legitimate, reach out to the party yourself and make an inquiry.
- Enable mobile alerts on your financial accounts to receive text messages anytime a new transaction is posted.
- Freeze your credit files - it's free and makes a big difference in avoiding and limiting losses. Here is how.
For TDS clients, as always, take screenshots and forward what you have to us, and we'll figure it out with you.
Thanks for reading.