Phishing Scams Become More Sophisticated, Easier to Carry Out

21 May 2015

By now, most people are aware of the threat of phishing, or emails and text messages that tell you to click on a link to a fraudulent business website. Savvy internet users aren’t fooled by shoddy phishing emails and obviously fake websites anymore. However, cyber criminals are evolving to keep up with this increase in awareness, steadily using more sophisticated technologies to defraud even the most vigilant users.

For example, it’s no longer necessary for scammers to be able to do their own coding, thanks to ready-made “phishing kits” that are easily available on the online black market. These kits contain templates and source files that allow convincing-looking business websites to be created with little to no coding knowledge. In some cases, criminals hack into legitimate business servers in order to host these kits, taking over content management systems by exploiting security flaws.

If you fall for a website created by one of these kits, you often won’t even know it. Many of the kits are so sophisticated that once a user inputs a username and password into the phishing site, the site redirects them to the actual legitimate business they thought they were logging on to, while simultaneously transmitting the user’s personal data back to the scammers.

Not only is it becoming easier for fraudsters to leech off of legitimate business sites, they’re also finding new ways to acquire more seemingly authoritative email addresses. Recent research has discovered that scammers are exploiting a loophole in the Sender Policy Framework (SPF) system, which detects fraudulent email addresses by checking to see if email from a certain domain is authorized by the domain’s administrators. The loophole allows them to send email with the US government website extension, .gov, without the risk that spam filters will detect the fraudulent account. If you receive an email from a .gov email address but live in Canada, it’s a strong sign that phishing may be involved.

A flaw in Google Apps has also recently been discovered that allowed criminals to register fake corporate email addresses and send out white-listed phishing emails to specific companies’ employees. The unsuspecting employees would follow the instructions in the email, believing it to be from a legitimate corporate address, which allowed the criminals to hack into their accounts.

Perhaps the most troubling recent phishing statistic is that a sizable amount of people are actually fooled by the more convincing phishing scams, according to a 2014 Google study. The researchers were able to trick 45 percent of users into handing over their personal information by using a particularly convincing-looking email and webpage. The study also found that once hackers acquire your username and password through phishing, they get to work right away, accessing one in five compromised accounts within 30 minutes.

Google explained in its summary of the study, “Hijackers quickly change their tactics to adapt to new security measures.”

Having your information stolen in a phishing attack puts you at serious risk of identity theft and credit fraud. To keep track of activities on your credit file and stay alert to changes, subscribe to a credit monitoringservice.

01