Cybercriminals have now adapted their phishing attacks to be delivered partly by phone.
These have been very effective in the United States earlier this year and have now spread to Australia. Law firms are being targeted.
How it works
Phishing is all about getting people to hand over network authentication credentials, such as passwords or answers to common ID security questions (“What was your first school?”)
The most common way to do this is sending an email with content the target might want, then asking them to enter a password to access it. Security awareness training and email screening software is designed to protect organisations from such attacks. These defences are low cost and quite effective. (See the QLS information security training module).
However, cybercriminals are nothing if not adaptable. As systems and people become resistant to “insert your password here” attacks, new forms are emerging. One of the easiest is establishing contact (and trust) by phone. A common scenario:
- You receive an email or text notifying you of something annoying (an Amazon purchase you did not order, renewal/cancellation of a service, an account being locked).
- A phone number is supplied. When you ring it, a friendly but slightly unhelpful person answers. They want to assist you to resolve your query but you are not authenticated – “privacy laws, you know”. Five minutes later you have supplied not only your current password, but three or four other passwords that it might have been and answers to a whole bunch of security questions. They might also ask you for multi-factor codes.
- The psychology is very effective. YOU rang THEM, so they are not an ‘unknown stranger’ from the internet. They are ‘George’ from the Amazon call centre. They are helpful (to a point) so you trust them. You have to invest time, so become determined to get the result you are after.
- At the end they send you a ‘confirmation document’ or ‘change of password link’. You are expecting it, so you open the email and disable any network security alerts. They will tell you the link won’t work on a phone, so you will get it sent to your (probably work) computer. This is the sting in the tail – the document contains sophisticated malware that will attempt to infiltrate your employer’s network.
By the end of the phone call they might have the ability to inflict millions of dollars of damage to your employer. Or they might only have enough information to access your online banking. Either way, that is a good day for them and a very bad day for you.
Take away message
Be wary of ringing phone numbers in unsolicited emails. Text in such email is often an image of text to evade scanning software. Check the address the email came from. It might look ok, or there might be small variations.
If you do need to contact an organisation, go through their website or published phone numbers and don’t rely on contact details via email.