Featured Article : How To Tell If You’re Being Spoofed

Many cybers attacks now take the form of using fake/spoof communication to trick victims into parting with personal (or company) data, or money. We take a look at some of the most popular and widely reported methods and how to avoid falling victim to them.

Phishing

This is a very common form of spoofing attack. Cyber-criminals send their victims emails which appear to be from legitimate organisations or contacts (or in some cases use fake SMS containing links or voicemails). When the victim clicks on the link of the phishing email, they are either directed to a spoof website payment page to steal their details or money, or have malicious software loaded onto their device to allow cybercriminals to take control of that device, log keystrokes, gain access to personal information and financial data (for financial theft and identity theft), or simply direct the victim to a payment page.

How To Spot Phishing Emails

There are several ways to spot phishing emails. Examples of these in which you can identify a phishing email include:

– Online requests for personal and financial information (e.g. from government agencies) are very unlikely to be sent by email from legitimate sources.

– Generic greetings. Scammers are less likely to use your name to personalise the email greeting and title.

– Mistakes in spelling and grammar can be signs of scam emails.

– Check the email address by hovering your mouse (without clicking) over the link in the email. This can quickly reveal if the email isn’t genuine.

– Beware of heavy emotional appeals that urge you to act immediately. These are signs of scam emails that hope to bypass your reasoning and tap into an emotional response.

Vishing Scams

Vishing is a combination of ‘voice’ and ‘phishing’ and describes the criminal process of using internet telephone service (VoIP) calls to deceive victims into divulging personal and payment data. 

Vishing scams to (domestic) homes often use recorded voice messages (e.g., claiming to be from banks and government agencies) to make victims respond in the first instance.

The technology used by scammers is now such that voice simulation may even be used in more sophisticated attacks on big businesses. 

Examples of vishing include spoof calls pertaining to be from banks or credit card companies with messages asking the victim to call a certain number to reset their password, exaggerated (almost too good to be true) investment opportunities, bogus charitable requests for urgent causes and recent disasters, calls claiming to be from government agencies (e.g. the tax office), or bogus tech support calls to fix fake problems with computers.

How To Guard Against Vishing

Ways to protect you and your business from falling victim to vishing include:

– Don’t trust caller ID to be 100 per cent accurate, numbers can be faked.

– Don’t answer phone calls to unknown numbers.

– Be wary of unsolicited alleged calls from banks, credit card companies or government agencies.

– Include phishing, vishing, smishing and other variants with your security awareness training for employees.

– Avoid using a gift card or a wire/direct money transfer.

– Don’t give in to pressure.

SMS Spoofing

SMS spoofing involves changing who an SMS message appears to come from by replacing the originating mobile number (Sender ID) with alphanumeric text. Examples of this ploy include impersonating a user that has roamed onto a foreign network and is submitting messages to the home network , or impersonating a bank and including a phishing message that tricks users into clicking on a link.

How To Guard Against Spoof SMS Messages

Some key things to remember to avoid falling victim to spoof SMS messages include:

– Be very sceptical of ‘too good to be true’ offers and remember that organisations such as your bank are extremely unlikely to text you and will never ask for personal details this way.

– Avoid clicking on links in SMS messages. If you receive texts that you have any suspicion about and have questions, go to the website, call (using the number from the official website) or email instead.

– Don’t share your mobile number unless it’s really necessary.

– Beware of SMS messages about verification codes, password resets, or anything that’s asking for personal information.

– Report any SMS spoofing attempts to Action Fraud.

Smishing

Smishing is where an attacker sends a text/SMS message purporting to be from a reputable company, in this case, the Royal Mail or a parcel delivery company/courier service. The idea is that the recipient (who may be expecting a parcel delivery) is fooled into clicking on the link in the text message and this either send sends the attacker personal information (credit card number or password) or downloads a malicious program/malware to the victim’s phone. The malware can be used for snooping on the user’s smartphone data or sending sensitive data (silently) to an attacker-controlled server.

Parcel delivery scams account for more than half of all reported text phishing, or ‘smishing’ attacks in the UK. For example, new data shows that from 15 April to 14 July 2021, 53.2 per cent of reported scam text messages were from attackers posing as postal delivery firms. Also, from 14 June and 14 July, parcel and package delivery scams accounted for 67.4 per cent of all smishing attempts.

How To Protect Yourself Against Smishing Attacks

Ways that you can protect yourself and your business from smishing include.

– (Again) remember that financial institutions never send text messages asking for credentials or transfer of money and credit card numbers, ATM PINs, or banking information should never be sent to someone in text messages.

– Beware of (scam) messages offering fast money (e.g., from winning prizes or collecting cash after entering information).

– A message received from a number with only a few digits is a sign that it probably came from an email address, which is a common sign of spam/scams.

– Avoid storing any banking details on a mobile device (in case of malware).

– Be wary of any delivery-related text messages other than the standard day/time of delivery messages.

– If you receive a smishing text, to protect other users, send the message to your telecom’s number so that it can be investigated. Also, report such messages to Action Fraud (https://www.actionfraud.police.uk/).

Deepfake Videos and Audio

Deepfake videos use deep learning technology and manipulated images of target individuals (found online), often celebrities, politicians, and other well-known people to create an embarrassing or scandalous video e.g., pornography, violent behaviour, or of the victim saying something they would not normally say but could be very damaging to their reputation if believed. The AI aspect of the technology makes the spoof videos very convincing. Deepfake videos are used by criminals to cause damage the reputations of victims and/or to extract ransoms from their target victims.

Deepfake Audio

Deepfake ‘ransomware’ can also involve using AI to manipulate audio in order to create a damaging or embarrassing recording of someone, or to mimic someone for fraud or extortion purposes. For example, in March 2019, a group of hackers were able to use AI software to mimic (create a deep fake) of an energy company CEO’s voice in order to successfully steal £201,000.

Other Spoofing Attacks & Scams

Some other popular spoofing attacks and methods include:

Man-in-the-Middle Attacks

If cyber-criminals are able to gain access to a person’s communications accounts e.g., your email (perhaps using stolen credentials, spyware, malware), they can intercept web traffic between two parties and the communication between the parties to re-route funds or solicit sensitive personal information like credit card numbers or logins.

Extension spoofing

This is where cybercriminals disguise executable malware files to make victims feel as though they can safely click on them (e.g. if received in an email). For example, a .exe file, which would normally be a security red flag, can be made to appear as a .txt (Notepad) file.

Checking If Your Details Have Been Stolen

Some attacks happen because a user’s personal data has been stolen in other attacks and/or traded online. One way to check whether your details have been stolen is to visit https://haveibeenpwned.com/.

What Does This Mean For Your Business?

The message here is that today’s cybercriminals would much rather rely upon human error and spoof scams than go to the time and trouble of trying to hack into secure systems. Human error can be relied upon to be ever-present to a degree, which is why spoofing is so effective. It appears that almost anything can now be faked, and it is up to businesses not just to take the necessary cyber protection measures (anti-virus, 2FA etc) but to educate staff in what spoofing scams they may encounter, how to spot them, and to have policies and procedures in place for dealing with and checking certain types of approaches, messages, and enquiries. It is important that all staff are particularly aware of email threats and can exercise a healthy degree of scepticism and judgement. New staff, staff in new roles, temporary staff, or staff with a known aversion to IT may be particularly vulnerable to these attacks and should receive extra attention in terms of cyber security education and training.