With incidents such as the Colonial Pipeline infection and the Kaseya supply chain attack making so many headlines these days, it can be easy to forget that malicious actors are still preying on individual users. They’re not using ransomware to do that so much anymore, though. Not since the rise of big game hunting, anyway. This term marks ransomware actors’ shift away from attacks against individual users and towards operations targeting large enterprises, noted CNBC. But attacks like phishing and scam calls are still an issue.
So, how are malicious actors preying upon individual users? Let’s discuss three kinds of attacks below.
Scam Phone Calls
According to the Federal Trade Commission (FTC), a scam phone call involves a malicious actor cold-calling victims to try to steal their personal information or financial details. They can then use that data to commit identity theft or to perform credit card fraud.
Attackers use various lures to trick their targets. Provided below are a few of the most common types:
- Imposter scams – In this type of ruse, a scammer calls someone and pretends to be a person that the recipient trusts. They might claim to be a government agency such as the Social Security Administration (SSA), for instance, or a tech giant like Microsoft. To add to the scam, they could use a fake name or spoof the caller ID.
- Debt relief scams – Fraudsters conduct these types of ruses by offering people lower credit card interest rates or assistance to fix their credit. If people fall for these scams, they could lose their money, damage their credit and/or expose their personal information.
- Charity scams – Malicious actors commonly pose as charities to trick people into submitting monetary donations. These ploys happen all the time, but they pop up especially after natural disasters and during the holidays.
Attackers are turning to scam phone calls more and more. Phone screening app company RoboKiller shared that Americans received 5.6 billion spam calls in February 2021. That’s a 10% increase over January 2021 and a 26% increase over February 2020. This type of volume persisted over the next months. That explains the 26 billion robocalls received by Americans in the first half of 2021. In June alone, robocallers contacted Americans 2.8 billion times. Scam calls and telemarketing calls accounted for 62% of that month’s volume, reported Markets Insider, with the former up 19% and the latter up 5%.
A phishing attack is where a malicious actor attempts to steal the credentials for a victim’s email or bank account. Or, they might attempt to trick someone into downloading malware. They can then use that threat to exfiltrate their victim’s data or abuse the infected device.
Common attack varieties staged by phishers include the following:
- Opportunistic – These types of attacks don’t target anyone in particular. They’re “spray and pray” campaigns where malicious actors send out generic emails to a large volume of victims. The logic is that at least some of those victims will fall for the ruse and either log into a suspicious website or download malware to their machine.
- Spear-phishing – In contrast to an opportunistic attack, a spear-phishing campaign deliberately targets a specific person. Those responsible for crafting the attack usually spend some time conducting reconnaissance of their target and crafting a convincing lure. By investing this effort, attackers hope to improve their chances of a successful phish.
- Smishing – Not every attack uses email as its delivery vector. For instance, SMS phishing (or “smishing”) uses SMS-based text messages to trick victims into clicking on a malicious link. These scam text messages take on various forms. As an example, attackers may pose as a delivery service to harvest personal information from a recipient. They might also direct the recipient to a website offering a gift in exchange for participating in a survey. The ruse asks the recipient to cover the shipping costs, through which the scam steals a victim’s payment card details.
Like spam phone calls, phishing attacks are on the rise. Help Net Security reported that these types of campaigns increased by 22% for the first half of 2021. That was before phishing attacks dipped in June.
UI Redress and Cookie Theft
Phishing is just one of the attacks that target individuals today. These types of attacks rest on someone with criminal or malicious intent attempting to crack open an account, website or other assets. They want to perform fraud or cause financial or reputational harm to their victim.
- UI redress – In this attack, a threat actor creates a fake user interface (UI) that leads them into thinking that they’ll get redirected to a certain website. But the UI actually leads them to another site designed to steal their details or infect them with malware.
- Cookie theft – Digital attackers use malware, browser vulnerabilities and other means of exploit to steal a user’s cookies. They can leverage those pieces of information to gain access to victims’ accounts, allowing them to make off with personal or banking information.
Sometimes, the methodologies vary depending on who’s conducting the attack. Take ‘hacktivists’ as an example. These actors try to steal embarrassing information from a target, with some going as far as stealing access to a target’s website for the purpose of defacing it with their own propaganda. That tactic differs from corporate spies who try to steal intellectual property and monetize it in some way. The same goes for nation-state actors who might try to remain hidden in targets’ networks for months, if not years, to benefit their host country.
As with the other two attack categories discussed above, malicious intrusions are on the rise. CrowdStrike found that intrusions threatening organizations’ cybersecurity had grown 400% in 2019 and 2020 combined. Many of those attacks involved attempts by cybercriminals and state-sponsored groups to exploit organizations’ shift to remote work.
How to Defend Against Scam Calls and Phishing Attacks
Users can follow the advice of the FTC and defend against scam calls by using call blocking or call labeling to stop unwanted calls before they reach them. They also need to remember that attackers commonly spoof caller ID. Even if a call looks like it’s coming from a government agency, it might not be.
They can also take steps to defend against phishing attacks and other intrusions. For the former, they can familiarize themselves with common signs of phishing emails and implement multi-factor authentication. This will help protect access to their accounts even if someone steals access to their credentials. As for other types of attacks, using a virtual private network can help visitors to ensure that their internet connections to their corporate network are secure.
How to Report Phishing Emails
If they fall victim to one of the digital attacks discussed above, they can report it to one if not several entities. FTC is the main agency for collecting spam reports, according to USA.gov. Victims can therefore use the FTC complaint assistant or call 1-877-382-4357 to report imposter calls, phishing emails and computer support scams. If the scams originate from overseas, victims might consider reporting the attacks to the FBI’s Internet Crime Complaint Center or econsumer.gov. Finally, victims should consider reporting scams to their local government body and/or to targeted organizations such as the SSA so that they can keep other members of the public safe.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...