5 Clever Phishing Scams Trying to Steal Your Personal Information

January 23, 2018

12:45 pm

As the world gets more connected, the value of personal information has skyrocketed. Between companies utilizing big data to give their customers what they want and cyber criminals stealing it for their own sinister gains, personal information has become a valuable commodity for anyone that can get their hands on it. And unfortunately, cyber criminals have come up with some devilishly clever means of stealing it from you.

Phishing scams, for those that don’t know, are clever, albeit illegal, plots to get you to input your personal information into a less-than-legitimate form, file, or website that will, in effect, lead to identity theft, malicious bank charges, and anything else a hacker can think to use your personal information for. And despite most people claiming that they can spot a phishing scam a mile away, studies show that they’re a lot harder to decipher than most people think.

Fortunately, being aware of which phishing scams are out there can do a lot to educate you on how to protect your personal information. We’ve collected a few of the most popular and insidiously clever phishing scams below so that you can keep your personal information as safe as possible. And, we’ve even given them playful heist names to keep you smiling while talking about these evil masterminds.

Note: Please do not use these tactics for your own personal gain. Phishing scams are illegal and, honestly, quite mean. After all, personal information is just that: personal. 

The Fake Attachment Heist

With more than one billion users, Gmail is a prime target for phishing scams. Considering the aggressively trusting nature of most Gmail users when it comes to communicating with friends and the inherent excitement of receiving an attachment from anyone, our first clever phishing scam is particularly effective at duping you out of your personal information.

With information stolen from a previously compromised device, cyber criminals will send the victim an email with an actual subject line and an actual attachment that the compromised party has used before. Once the victim clicks on the link, they are redirected to re-sign into Gmail, and the cycle starts all over again.

The attack was reported by many, and the effects were wide reaching. One school, for example, reported the attack had duped three teachers and a handful of students in less than two hours. And the means by which it spread so fast were pretty impressive:

“They went into one student’s account, pulled an attachment with an athletic team practice schedule, generated the screenshot, and then paired that with a subject line that was tangentially related, and emailed it to the other members of the athletic team,” wrote the system administrator for the school in a Hacker News post.

The Apple ID Caper

If you’re an iPhone user, you know your Apple ID and password like the back of your hand because you have to use it just as often. From movie rentals and song downloads to in-app purchases and iCloud access, your Apple ID is getting typed out more often than your actual name. And some phishing scams are taking advantage.

As web developer Felix Krause, who has worked with Google and Twitter, pointed out, the ease with which phishing scammers could take advantage of this is undeniable. Because many of the alerts don’t even require hackers to know your email address (as shown below), it would be easy to get your password without you even realizing.

Krause goes on to explain that the only way to be sure that you’re filling in an authentic Apple form is to forego these pop-ups altogether and exclusively provide your password via the “Settings” icon instead. Yes, it’s an added extra step, but it could be the difference between a calm Saturday afternoon and a hectic phone call with Apple customer service.

The Billing Information Hold-Up

Having to change your billing information is an regular occurrence. Whether you move or lose your credit card, being prompted to adjust the credit card information provided for auto-pay services, like Netflix, is perhaps one of the most ordinary experiences you go through in life. And that’s what makes this phishing scam so gosh darn clever!

Again, the victim receives an email from “Netflix” insisting that there is a problem with your billing information, resulting in the suspension of their account. They are then directed to a page not entirely unlike a Netflix landing page that asks for your billing information (name, address, date of birth, phone numbers, etc.). Then, you are prompted to verify your payment method by inputting your credit card information and sometimes even your Social Security Number.

While the ease with which all of your important personal information is stolen from you is unsettling, the fact that the phishing scam has effectively and persistently avoided spam filters makes it much worse. Yes, Google has dramatically cracked down on these scams with filters, but this one seems to be the only one that can regularly evade detection.

“They’re not even varying their tactics all that much,” said Richard Hummel, manager of technical analysis at FireEye, in a Wired article. “What they’re doing is working, it’s successful. Netflix is still one of the common themes that’s used for credential theft. It’s definitely something that’s still ongoing—steady and recurring.”

The URL Rip-Off

Experienced phishing scam detectors live by one simple rule: look at the URL. While cyber criminals have dozens of handy tricks to fool you into giving up your cherished personal information and the internet is the ruleless wasteland by which they can do so, URLs don’t lie. At least, that’s what we thought.

Through the use of Punycode, an online resource that allows you to register a domain with foreign language characters, hackers have discovered that they can create phony URLs that look exactly like the real thing. By using characters that effectively spell out, for example, “apple.com,” victims would be none the wiser when it comes to deciphering phishing scams from legitimate requests for information.

While most browsers have protections against the mixing of characters in the URL, neither Chrome nor Firefox can do anything about a domain completely spelled out in a foreign language that just happens to look like “apple.com.” And that is where victims get into real trouble.

“The domain ‘аррӏе.com,’ registered as ‘xn–80ak6aa92e.com,’ bypasses the filter by only using Cyrillic characters… Visually, the two domains are indistinguishable due to the font used by Chrome and Firefox,” said web designer Xudong Zheng in a post on his personal page. “As a result, it becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.”

The Great GoDaddy Robbery

Owning a website comes with a laundry list of things to avoid. Cyber criminals have begun to realize that the limited resources allocated to small businesses’ security measures have made them ripe for the hacking. Unfortunately, this has made GoDaddy a veritable hunting ground for phishing scammers looking for website owners’ personal information. And, tragically, they’re pretty good at it.

Because addressing website ownership problems has become a bit like digital Whack-a-Mole, posing as an issue that needs to be resolved is a popular means of phishing for information. One in particular, reported on the GoDaddy support page, insisted that the users directory has become too large in an email that, admittedly, doesn’t look that official.

Once they’ve convinced you of the pressing problem, they’ve got you. You’re redirected to a pretty convincing GoDaddy page that asks for your login information, leading to the eventual theft of your personal data. And the rest, as they say, is history.

Read more about some of the most recent global hacks on TechCo

Did you like this article?

Get more delivered to your inbox just like it!

Sorry about that. Try these articles instead!

Conor is a writer, comedian and world-renowned sweetheart. As the Assistant Editor and Writer at Tech.Co, he’s written about everything from Kickstarter campaigns and budding startups to tech titans and innovative technologies. His background in stand-up comedy made him the perfect person to host Startup Night at SXSW and the Timmy Awards for Tech in Motion. In his spare time, he thinks about how to properly pronounce the word "colloquially." Conor is the Assistant Editor and Writer at Tech.Co. You can email him at conor@tech.co.

Leave a Reply

  • (will not be published)