Catch of the Day: FTC Text Phish
Chef’s Special: Impersonation Phish
Also serving: Banking Phish
Examples of clever phish that made it past my spam filters and into my inbox. Some are sent by clients or readers like you, and other reliable sources on the Internet.
You can send phishing samples to me at phish@wyzguys.com.
My intention is to provide a warning and show current examples of phishing scams, related articles, and education about how these scams and exploits work, and how to detect them in your inbox. If the pictures are too small or extend off the page, double clicking the image will display them in a photo viewer app.
The FTC Reveals the Latest Top Five Text Message Scams
The U.S. Federal Trade Commission (FTC) has published a data spotlight outlining the most common text message scams. Phony bank fraud prevention alerts were the most common type of text scam last year. “Reports about texts impersonating banks are up nearly tenfold since 2019 with median reported individual losses of $3,000 last year,” the report says.
These are the top five text scams reported by the FTC:
- Copycat bank fraud prevention alerts
- Bogus “gifts” that can cost you
- Fake package delivery problems
- Phony job offers
- Not-really-from-Amazon security alerts
“People get a text supposedly from a bank asking them to call a number ASAP about suspicious activity or to reply YES or NO to verify whether a transaction was authorized. If they reply, they’ll get a call from a phony ‘fraud department’ claiming they want to ‘help get your money back.’ What they really want to do is make unauthorized transfers.
“What’s more, they may ask for personal information like Social Security numbers, setting people up for possible identity theft.” More…
Massive Impersonation Phishing Campaign Imitates Over 100 Brands and Thousands of Domains
A year-long phishing campaign has been uncovered that impersonates 100+ popular clothing, footwear, and apparel brands using at least 10 fake domains impersonating each brand.
We’ve seen plenty of attacks that impersonated a single brand along with a few domains used to ensure victims can be taken to a website that seeks to harvest credentials or steal personal information. But I don’t think an attack of such magnitude as the one identified by security researchers at Internet security monitoring vendor Bolster.
According to Bolster, the 13-month long campaign used over 3000 live domains (and another 3000+ domains that are no longer in use) to impersonate over 100 well-known brands. We’re talking about brands like Nike, Guess, Fossil, Tommy Hilfiger, Skechers, and many more. Some of the domains have even existed long enough to be displayed at the top of natural search results.
And these sites are very well made; so much so that they mimic their legitimate counterparts enough that visitors are completing online shopping visits, providing credit card and other payment details.
The impersonation seen in this widespread attack can just as easily be used to target corporate users with brands utilized by employees; all that’s needed is to put the time and effort into building out a legitimate enough looking impersonated website and create a means to get the right users to visit said site (something most often accomplished through phishing attacks).
This latest impersonation campaign makes the case for ensuring users are vigilant when interacting with the web – something accomplished through continual Security Awareness Training.
Blog post with links:
https://blog.knowbe4.com/massive-impersonation-phishing-campaign
Newly Discovered Phishing Attacks Target Bank Customers
First National Bank has warned of an increase in phishing and smishing attacks, IT-Online reports. Trish Ramdhani, head of fraud at FNB Card, stated, “In recent cases, some consumers received SMSes claiming that their bank requires them to urgently FICA by clicking on a link that takes them to the fraudster’s platform, where their information is then compromised.
The technique now includes attempting to entice the user to divulge both their card information and the one-time password (OTP), which is subsequently used to complete successful transactions using smart devices.”
FNB offers the following recommendations to help people avoid falling for these scams:
“Don’t panic: Fraudsters rely on people acting hastily due to a sense of panic. The tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, keep in mind that such things will never compel you to give away OTPs, PINs, or passwords. It is safer to end such communication and contact your financial institution right away.
“Do not click on email or SMS links: When opening emails from unknown sources or those that appear suspicious, proceed with caution. Clicking on links or downloading attachments from these kinds of messages should be avoided because they may include harmful malware or redirect you to fake websites.
“Enable two-factor authentication (2FA): Enable 2FA wherever possible since it adds an extra layer of security by requiring a second verification step, which is often transmitted to your mobile device or an authenticator app, such as the FNB Apps for FNB customers.
“Take note of the card and digital safety measures recommended by your financial institution: There is a lot of misleading information about how people may protect themselves from fraud, but it is always preferable to follow your financial institution’s recommendations on how to secure your money.
“Keep software and devices up to date: Update your operating system, web browsers, and antivirus software on a regular basis to guard against vulnerabilities. To ensure that you get the most recent security fixes, enable automatic updates whenever possible.”
New-school security awareness training can enable your employees to thwart social engineering attacks, and it cannot hurt to share these with your users so that they will stay safe at the house.
Blog post with links:
https://blog.knowbe4.com/phishing-attacks-bank-customers
JUL
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com