How to spot and avoid phishing scams
An updated guide in the era of ChatGPT
.png)
1 minute
February 9, 2024
Alloy’s latest State of Fraud Benchmark Report underscores a sobering reality for businesses today: fraud incidents are getting worse. 70% of the survey’s respondents report phishing attacks cost them at least $500,000; others mentioned damages far greater in magnitude.
Client security and protection is our top priority at Rho. To help you stay alert, we are kicking off a new blog content series focused on key fraud concepts and how you can protect yourself and your business from these threats.
The first post covers phishing – what it is, how to spot different phishing techniques, and ways to prevent different types of phishing attacks from impacting your business.
Control spend, boost efficiency, and earn up to 1.25% cashback with Rho.
Phishing is a deceptive attempt by bad actors to pose as someone you trust to get access to your personal or financial information, like passwords, phone numbers, email login credentials, or credit card numbers. Phishing campaigns can come in many forms, which we will cover next.
Email phishing is the most prevalent category. A scammer creates a fake domain that closely resembles a legitimate organization or person and sends you a fraudulent email asking to confirm certain information or to take a specific action like sending a PayPal transfer. Look for subtle irregularities like displaced letters or a slightly altered logo; these are often telltale signs of a phishing attempt.
Spear phishing differs from email phishing attempts in that the former is tailored for a specific recipient whereas email phishing is a broad-scale attack on many recipients. An example may be an email appearing to be from a coworker asking you to share sensitive company numbers. However, the goal mirrors email phishing attempts — to deceive the recipient into revealing personal or financial details.
Whaling is a specific type of spear phishing attempt, targeting a 'big fish' target. Examples include the CEO of a company or a celebrity. Similar to spear phishing, emails, appearing to be from trusted partners or business contacts, may ask for confidential company data or bank account transfers.
Smishing and vishing use SMS and phone calls, respectively, to collect sensitive information. An example of smishing could be a text from 'your bank' or another financial institution alerting you of suspicious activity and prompting you to confirm your personal data, while a vishing (voice phishing) attempt might involve a phone call from someone impersonating a trusted company like your bank, asking for your password to supposedly verify your account. Or you could receive a text from a number impersonating your CEO, asking for you to complete an urgent task like sharing credit card information.
As companies increasingly use social media to handle customer support, angler phishing has become more common. Posing as a customer support representative from well-known companies, fraudsters may post comments on your complaint threads with businesses, posting malicious hyperlinks to malware or asking for your details for 'further assistance'.
Each of these tactics revolves around deceit and misinformation. Stay vigilant by questioning unexpected communications, verifying the source, and being cautious with what information you provide and where.
If anything seems amiss to you about a third-party link, you are most likely right to be suspicious. Phishing messages often use misleading URLs that look similar to a genuine address, but lead to fake websites designed to harvest your information. Alternatively, these webpages could cause you to accidentally download malware or ransomware.
Be wary of any emails and text messages that ask for personal or account details, regardless of who supposedly sent them. Phishers often mimic legitimate businesses or acquaintances to trick users into providing sensitive data. So, always verify any requests for such information before proceeding. Your organization should have standard communication channels it leverages – if anything falls outside those norms, it is best to report them to be safe.
Maintaining robust, intricate passwords and regularly updating them significantly enhances your online security. Utilize a blend of letters, numbers, and symbols to form your password. Regular updates to your passwords ensure that even if one is compromised, your other accounts can remain secure.
Two-factor authentication (2FA) – or multi-factor authentication – adds a second layer of protection to your logins, requiring a second verification step after you use your password. A common method is using the Google Authenticator app to generate temporary login codes. While it adds some time to the login process, using 2FA on your accounts is an effective way to maintain login and email security.
Update your browsers, mobile devices, and applications as soon as updates become available. Cybercriminals and hackers often exploit known vulnerabilities in outdated software, systems, or apps. Regularly updating your devices and software helps patch these vulnerabilities and protect against these attacks.
Always verify a source if you have any doubts about the authenticity of any information received. Contact the person or company directly through an established, secure method to ensure the information is genuinely from them and all associated domain names check out.
Taking these precautions can significantly mitigate the risk of falling for phishing scams or other forms of cybercrime, playing a substantial role in your broader cyberattack prevention strategy.
Understanding theoretical precautions is imperative, but visual instances can often leave a longer-lasting impact. Let's scrutinize a typical example of a phishing text scenario:
The text message you see looks ordinary at first - just another message from the CEO, right? However, let's spot the red flags that allude to this being a phishing attempt:
We know this message originates from a fraudster based on the grammatical and formatting errors, but they certainly made an attempt to pose as your CEO. Fraudsters often cynically bank on the authority of the impersonated figure, counting on it to overlook any initial skepticism.
The scenario emphasizes urgency with the client call context, attempting to make you act quickly without thorough examination. The idea is to capitalize on your reaction speed - it is a “client” on a Zoom call who needs the gift cards after all.
The so-called CEO asks you to purchase gift cards. The ridiculousness of the request aside, it is common for fraudsters to request gift cards from popular brands like Apple, Walmart, or American Express.
The employee, misled into believing this message is from their CEO, purchases the gift cards and unknowingly hands the win to the fraudsters.
Incidents like these emphasize the importance of taking a moment of pause—a brief verification can often help identify such scams. Always remember, when in doubt, directly contact the person or company in question to ascertain the communication's authenticity.
Technology is advancing at a rapid pace, and there hasn’t been a more prominent example in recent memory than last year’s release of OpenAI’s ChatGPT. While we are still early days in its application, without question, ChatGPT is already having an impact when it comes to the world of financial fraud. Just as the technology can assist marketers with copy development, ChatGPT can pose significant fraud risks in the wrong hands.
Fraudsters are already using ChatGPT to draft meticulously crafted phishing email messages that appear remarkably legitimate. One outcome: the misspellings and grammar mistakes that are often a common type of phishing attempt are not as prevalent in ChatGPT-generated copy, making it increasingly difficult to separate genuine emails from phishing ones.
However, what ChatGPT doesn’t change is the fundamental nature of phishing. It is aimed at extracting personal or account numbers. With updated knowledge of common phishing attempts and vigilance, you can still effectively avoid being impacted by suspicious or unexpected communications. After all, it is very, very unlikely that your friend, relative, or coworker would ask for payment or account information or a password using digital channels.
Effective steps remain the same: Never divulge personal information without verification, and always conduct due diligence to verify the source of an email.
To first step to preventing fraud is recognizing it when you see it. This guide aims to provide an overview of phishing, common forms it can take in your day-to-day life, and anti-phishing tactics you can adopt today. Next, we will cover key concepts such as card fraud, account takeovers (ATO), security awareness training, social engineering, and more to come.