Gone Phishing — and Not Going Away
Malware. Clone phishing. Whaling.
Phishing comes in many forms, and all could be taking place this very minute. It’s become the most common form of cyber hacking, “accounting for 91% of all cyber attacks.” Steve Zurier, Dark Reading
Last year, there was a 500% increase in phishing scams over social media just in the latter part of the year. I don’t know about you, but that statistic sounds alarming. Phil Muncaster, Infosecurity Magazine.
Numbers speak volumes and shouldn’t be ignored. However, it’s not easy to spot a phishing scam. Hackers have mastered manipulation and coding and are becoming quicker at defeating complex malware protection systems and knocking down firewalls. After all, phishing has been a “thing” since the early days of AOL.
So what’s phishing, anyway?
Phishing is the sending of fraudulent emails or messages from addresses disguised as reputable sources with the aim of coaxing users to reveal personal information. Scammers often use this personal information to steal identities and make a profit by selling these identities.
What makes this so attractive to criminals is how easy it is and the ROI that comes with it. All it takes is tricking you into believing an email is safe to open. Scammers use real company logos—even real messages with dangerous links that send users to fraudulent sites. It’s no wonder so many people are unable to recognize it.
Phishing isn’t limited to email, though.
Because it’s a form of identity theft, criminals can use similar social engineering across other platforms to try and take hold of your personal information. Any outlet that exposes your data via an account with a login is susceptible to phishing—Facebook and Instagram to name a couple.
URL padding—a new form of phishing?
How often do you catch yourself “liking” an Instagram or Facebook photo—sometimes quickly without even reading the full post? Photos can be engaging enough to drive a user to click, which is valuable for marketers and profitable for phishing scammers.
The latest take on phishing targets mobile devices, primarily within the Facebook app. Hackers are capitalizing on humans’ tap-happy behaviors, or flaws, to quickly rob us of our login information. We’re conditioned to react instantaneously to notifications, text messages, and emails that we’re leaving our doors wide open for attacks.
Here’s how phishing works:
You’re scrolling through your timeline, and you haphazardly tap on a link within a post featuring an aspirational image of the hottest new gadget you’d seen in Wired. You’re redirected to a landing page that looks like it could be real—it even has “facebook” in the url as far as you can tell. But what you can’t see is the rest of the URL—because the URL bar on your mobile device is smaller.
What the criminal has done is he’s padded a fraudulent URL with hyphens, only revealing the legitimate URL inside. On this page, a form requests your personal information, promising to submit your name into a drawing for a chance to win the gadget. In this case, the hacker wins your information, and you’re left with no gadget, but a stolen identity—one you may not realize is stolen for months.
And that’s just one example of how it’s done—some forms of URL padding can infect your device and cause more immediate damage.
Is there anything we can do to prevent URL padding?
One of the easiest prevention methods is to maintain awareness and pay attention to your user experience. Make sure the journey from one page to the next makes sense and that the URL is not padded, misspelled, or contains a questionable domain. You can check the full URL by tapping it in the bar and dragging your finger slowly to the end, looking for clues. Beware of abnormally quick responses from customer support representatives or odd Facebook messages.
Only you can take steps toward prevention of phishing, especially on mobile devices. For desktops and laptops, do your research on malware and antivirus prevention software and choose the one that helps monitor emails. For business, Link High offers cyber threat monitoring services to help protect and detect suspicious activity. Learn more about it here.