As long as money is being channeled through the Internet, from small purchases to big business transfers, crooks will see it as a promising and relatively safe target for fraud.
Aside from the potential for hacking and for exploiting programming loopholes, the Internet has one huge security flaw: human fallibility. Simply put, from first time users at either end of the age spectrum to business whiz kids stressed out from overwork, we are all vulnerable when fraudulent websites are just a click away.
Phishing fraudsters rely on a range of techniques that exploit our unguarded moments: unlike a good old traditional mugging or bank heist, they rely on everything looking safe and normal. It is this illusion of familiarity that led 97 per cent of computer users, in a test by Intel, to fail to correctly identify phishing emails from those they were shown. It is this bug in human nature that results in one million UK Internet users experiencing phishing each year. And it is this complacency that has cost US companies anything between £500m and £1.43bn to date - depending whose figures you trust.
One such business scam, a sub-category of phishing known as ‘CEO Fraud’, hit networking equipment company Ubiquiti Networks in 2015, as revealed when they released their quarterly SEC filing: the California-based company was taken for $46.7 million (£33.4m). CEO fraud, or the more delicately termed “business email compromise,” occurs when scammers send an email that appears to come from a senior figure of the victim company, requesting a payment be made or data be shared.
Ubiquiti has been secretive about the precise steps taken to defraud them, ostensibly so as not to compromise the investigation – but human error makes for an embarrassing admission. As recently as January of 2016, historic French firm ETNA Industrie lost €180,000 when their accountant received an email and phone calls apparently from the chief exec, requesting an urgent business payment. Needless to say, the communications were not authentic. To prevent instances of CEO fraud such as these, more complex, two-tier systems of security and authenticity need to be put in place. On a human level, it doesn’t hurt for those in a fund-authorising position to be reassured that double-checking requests that apparently came from their ‘boss’ is okay.
Fraud does not stop at the workplace, though, and phishing scams are evolving and responding to growing consumer sophistication, targeting users through trusted portals such as WhatsApp, Google Docs and Dropbox. Whilst traditional phishing involves the receipt of emails that claim urgent action needs to be taken by the user, guiding them to a dodgy link or requesting log-in or banking details, ‘Google Docs phishing’ goes one step further. The initial email invites the user to view a document which is indeed hosted on Google Drive, making it seem totally authentic: it feels perfectly safe to cough up your log-in details to Google services such as Gmail, Play or Android applications. However, the page may be a trap. It can be difficult to spot an imposter site, but programming flaws are known to flag up a suspicious page – check for corrupted characters in the language selection box, as their inclusion should ring alarm bells.
It is still unclear what impact an increase in WhatsApp scams noticed since the start of the year will have, but for the time being consumer vigilance is the best defense. Curiously, it has been reported that phishing fraudsters are learning to think like marketers, so the email subjects they use look deliciously clickable. But many of these emails, purporting to come from WhatApp but in fact traceable to scammers, are laden with malware which can broaden the security threat to the victim’s computer. Often, bogus WhatsApp messages can be detected from their sender address, but another useful clue is the fact that many of these messages contain an apparently random string of letters at the end of an otherwise beguiling subject header, for example ‘An audio memo was missed. Ydkpda’. Experts speculate that this is a code that helps scammers to identify their victims – piecing together a puzzle that gives ever-greater control over stolen security information.
Of course, fraudsters are working all the time to circumnavigate new security measures and invent ever more tricky scams. It is an issue that won’t go away as long as people are people. However, as long as phishing scams rely on user error to be effective, forewarned will equal forearmed. Aside from installing reliable security software, the best step we can take is to familiarise ourselves with the range of phishing variations that scammers may use to entrap us.
In addition to those mentioned, ‘spear phishing’ is a serious threat: it is a more targeted form of classic email phishing, the difference being that the perpetrators use extra information about the victim, gleaned from social media or elsewhere, to make the email more personalised and therefore more convincing. ‘Pharming’ is website-based phishing, in which a scam site is set up under the hijacked domain name of a trusted service.
The list goes on, but in each case steps can be taken to improve security. Check out this new infographic, which breaks down six of the most common ways that phishing fraudsters are operating today – and how to reduce the chances of becoming a victim.
Image Credit: Maksim Kabakou / Shutterstock