During the 4th week of CSAM, the focus is on phishing, which is a type of social engineering scam that can take many forms including, but not limited to, email, SMS text messages, phone calls, social media updates, and web pop-ups or ads. The intent of social engineers is likely the theft of sensitive information, but it may also include the installation of malware, such as spyware or ransomware, which can lead to identity theft, monetary loss, loss of intellectual property, data theft or corruption, business disruption . . .etc.
In the Anti-Phishing Working Group’s (APWG), second quarter summary for this year, they noted that it was the worst quarter they had ever observed, with 1,097,811 (reported) phishing attacks. They also noted a 47% increase from Q1 to Q2 2022 in (reported) social media attacks, and the continuing rise in mobile phone based fraud, including smishing (SMS phishing) and vishing (voice phishing).
2022 Notable trends:
Vishing – Commonly seen vishing scams this year are debt relief scams, charity scams, and imposter scams. Victims often forget that a phone call can lead to a cyber threat, and that’s why vishing is so successful. Scammers first trick people into believing that they are a trusted party, e.g., someone from a government agency or a financial institution.They may even be calling from a spoofed number that is familiar. Next, The scammers direct victims to malicious websites or login prompts, which are designed to look like legitimate sites, in order to steal credentials.
Smishing – Commonly seen smishing scams this year are food delivery, package delivery, and bank related scams. Many people do not have security software on their phones, and smishing is attractive precisely because victims are likely accessing SMS text messages free and clear of the protections afforded by security technologies. For this reason, it is always advisable not to click links in these messages. Rather, visit the web page of the sending organization using a trusted URL to access account or other information.
Social media phishing scams – Can be very difficult to spot. They may not be as obvious as a private message from a stranger asking you to click on a link. Instead they may show up from people that you know, who have had their accounts compromised. If you spot messages from people you know that seem suspect, contact them using a trusted phone number to verify the legitimacy of the message. Also beware of anyone seeking work related information on a social media vs. NYU communication channels. In recent months, there have been continuing COVID related scams as well as a number of scams related to LinkedIn, including fake notifications, such as “People are looking at your profile” and “You appeared in 30 searches this week”. Once the link (button) is clicked in these phishing emails, victims are taken to a spoofed LinkedIn login, which steals their credentials. Another LinkedIn scam relates to bogus job offers in which the scammer asks for more information than is necessary for the purpose of job application, including a credit card number to process a fee of some kind. Many of these messages can be detected by viewing the “Reply to ” address of the sender, although some messages you receive may be coming from compromised business or personal accounts. When in doubt, verify the legitimacy of any communication received with the sender, using a trusted means of communication.
For more information about detecting and avoiding phishing, please see the following article from The Download, Phishing, Spear Phishing & Whaling.