Hope makes fools of men and once it was only the most hopeful of fools that responded to a phishing mail really believing a Nigerian prince would be depositing three million dollars into their bank. Unfortunately phish scammers aren’t simple machines, they are very much human and they learn from mistakes. Now that filters are getting more sophisticated the phishers have to get even more creative and it’s becoming increasingly difficult to tell the factual from the fake.
The ultimate aim of almost any online scam is to get your precious personal information. It might seem like the data of one individual with no major assets might not be that valuable and it’s certainly true that Bill Gates’ bank account probably holds more than Bill Smith’s but once a scammer has one piece of personal information they can then use that to get hold of more. A mother’s maiden name can lead to more passwords, to bank access to changing registered emails and passwords and so on. With more and more formal transactions being made online you could end up with a string of credit card and loan debt in your name without ever knowing.
To catch the most phish the forger will need the most convincing net. It will usually start with some widely available tools that will pull all of the assets from any website enabling a fraud to make a carbon copy of a bank or official site and then edit with their own links and backend software to capture the details of anyone who goes to it. Once that’s ready then it’s a fairly simple matter of registering a similar address, Bigbank.org rather than Bigbank.com for example, and then it’s on to creating the email hook. For the more elaborate scams phishers have even been known to find out the registered details for the original site and use them when registering the fake so even if a user had the nous to check it would still come up with the same owner.
From there the actual email is the easy part. Simply registering with any website will usually be accompanied by an email containing all the logos, wordings and fonts someone would need to create another email that looks official enough to make all but the canniest of readers look twice. For the more elaborate of phishers there’s a technique known as Open Source Intelligence Gathering. In laymen’s terms the forger uses publicly available information like staff registered at a particular organisation on social media, such as LinkedIn or Facebook, to tailor an email to targets using convincing details like first names and job titles. This requires a lot more work for the scammer than the scatter gun approach of standard phishing but it usually reaps a larger, and potentially more valuable, catch.
The best defence against phishing is common sense. Phishing emails prey upon the lizard part of the human brain that sees an opportunity for instant gratification and releases so much adrenaline and endorphins that we can’t think straight. It’s the same reason we buy lottery tickets because maybe this is it, this is the big moment when everything changes. Of course there’s the little Debbie Downer at the back of your mind saying ‘it’s not real’ but you can ignore them, they’re just being a pessimist. In this case, listen to Debbie. She’s the last line of protection stopping you becoming just another hopeful, and debt-ridden, fool.