Cyberattacks are on the rise these days. The various “creative” scenarios that they present themselves in are also getting increasingly difficult to detect. One minute you’re opening an email that’s supposedly from the government, the next you’re frantically telling your bank that you did not, in fact, spend $10,000 on some dodgy "financial product".
That’s how a phishing attack works: receive a malicious email or SMS, or visit a spoof website, mistakenly key in your banking/ card credentials, and whoosh! Your bank account or credit card is compromised.
Though you may think you’re a bit too careful and savvy to be caught like this, there’s no harm testing yourself with these scenarios below to see just how scam savvy you really are.
1. Phishing attacks always slightly misspell malicious website names / addresses, so you can spot them easily if you’re careful. True or false?
False.
Many fake websites do have slight spelling differences from the real thing; but there’s also a form of phishing that uses an International Domain Name (IDN) homograph attack.
When a website’s name uses a foreign alphabet, such as Cyrillic, it’s translated to something called Punycode. We won’t bore you with the techy details, but you should know that some characters in these foreign languages – when they appear in the address bar - directly resemble their English counterparts.
For example, the Cyrillic letter “a” is visually identical to the English one, although they are different to the computer. As such, it’s possible to set up an address that, visually, has the correct address but leads you elsewhere. A web developer, Xudong Zheng, recently demonstrated this by setting up a fake website that’s literally called www.apple.com (it even has the green “secured connection” lock and everything).
Currently, web browsers are developing ways to counter this. But if you want to be really safe, you’d better manually type in the address.
Adopting this practice as a rule of thumb is the only way to be 100 per cent sure.
2. Phishing emails come out of the blue, and are not part of ongoing email threads. True or false?
False.
Although it is true that we should always be wary of unsolicited emails, the fact is, phishing emails can also insert themselves into the middle of an existing email thread.
For example, say you’re in the middle of an email conversation with your colleagues. About five emails in, you get one that says “Hey, can you look this over for approval?”
Thinking nothing of it, you click it and… download all sorts of malware and spyware.
It’s easy to be caught off guard, since most people don’t expect a phishing email to appear mid-conversation. The only solution is to be alert and take note of any strange or out of context messages. It’s always best to double check with the supposed sender if something looks out of the ordinary.
3. Are you always conscious that strangers can stalk your social media?
If you have public social media accounts, then you're open to attack.
For example, in very targeted attacks, the scammer may stalk victims on say, LinkedIn, studying details about the victims' professional life. That makes it easy for hackers to craft emails that are apparently from your boss or colleagues.
Such scammers could also exploit public information on your personal life shared through Facebook, Instagram, and other social media sites. For example, scammers may be able to see your vacation location on your Instagram pictures, and ask if you “left this while we were in Bali” (clicking the email then downloads malware or spyware).
If you keep this in mind all the time, you’ll be much better at spotting and evading potential phishing attacks. There are some giveaway signs, such as if a colleague who just left is apparently contacting you via their work email, or if the email about your last vacation is from a nameless source.
4. Do you check before verifying automated payments?
Unfortunately (for us at least!), some of the most common phishing attacks tend to impersonate financial institutions and/ or are money-related. Recently, there have been a rise in phishing emails claiming that victims' digital token has expired. Of course, this is untrue – digital tokens do not expire – but in a panic, victims may be tricked into clicking the embedded link and revealing their banking credentials.
For all we know, a few minutes later, someone in an exotic country may be buying themselves a new pool table at your expense*.
If you’re wise to phishing attacks though, you’ll be sure to follow up on such emails with careful checks. That means a phone call to the service provider to verify if it’s real, and a refusal to even click the email link before that.
*The thief probably isn’t the one who created the phishing attempt; they often just buy stolen credit card details online.
Phishing scams get smarter all the time; make sure you stay alert and evolve along with them.
No matter how scam savvy you think you are, remember that phishing crooks have one big advantage: they can fail hundreds of times, but you only need to slip up once.
DBS is committed to protecting our customers from scams! Learn more about DBS Scam Defence and how we're equipping you with the right tools and timely information to bank with confidence.