Integrity Blog

Other forms of Phishing: Smishing, QRishing, and Vishing

Organizations are increasing efforts to make employees aware of the threat of social engineering, including phishing, and many new businesses have risen over the past several years to provide services for training employees to recognize phishing attempts. A threat actor’s primary approach in phishing is, of course, to target individuals and groups through email, enticing the intended victims to click on a link or open an attachment. But what are some alternative forms of phishing that awareness and training efforts may not cover?

SMiShing

Though this sounds like a high school fad, it is an increasingly common threat vector and can affect people of all ages who use mobile devices. SMiShing, short for “SMS phishing,” attempts to lure the recipient of a text message to tap on the link provided in the message, thereby sending the victim to a fraudulent website where a person’s personal information can be obtained, or where malware can be downloaded to the mobile device.

QRishing

Quick Response (QR) codes are becoming more pervasive in our daily lives. You might see these small square codes on business cards, in magazines, at malls, at bus and train stations, or among a multitude of other locations. Also commonly found are apps that can be used to read and decipher the codes and, in many cases, take a person directly to a website. Just line up the QR code in your mobile devices camera, take a snapshot, and the app will present information contained within the code. But beware! While QR codes are used for legitimate purposes, they can also be developed or manipulated for illicit purposes and have the same effect as a phishing email.

Vishing

This form of social engineering attempts to get a person to provide information, such as account numbers and passwords, through a phone conversation. The intended victim receives a call, or an email or text message asking them to call a phone number. During the ensuing conversation the intended victim is pressed to provide personal information, which can then be used by the fraudster to gain unauthorized access to a person’s devices and accounts.

The next time you receive a text message with embedded link, see a QR code, or are solicited for personal information during a phone call, realize there are potential dangers lurking. As with phishing emails, be aware of the common signs that indicate social engineering is being used to target you.

419 Nigerian Prince Scam

In college football and other sports, you’ll occasionally see players wear “eye black” – that streak of grease or patch under their eyes – to help reduce glare. In some cases, players will add the area code from where they grew up. It may be a statement of sorts, or just a visual shout-out to their hometown area. For example, a player from northwest Ohio might add 4-1-9 to his or her eye black. Simple. No harm to anyone else. Highly recommended by 3-out-of-10 Eye Black Enhancement Specialists.

However, there’s another 4-1-9 that can give you a black eye and leave you glaring - 419 fraud. This type of fraud is simple in its approach, yet potentially harmful to you… not to mention that 10- out-of-10 law enforcement and information security professionals recommend you avoid falling for it.

419 scams are not fraud originated in northwest Ohio. Instead, these scams originated in Nigeria, and the number 419 refers not to an area code, but to the section in the Nigerian criminal code that addresses fraud. While most people are able to easily detect these scams, some still fall victim, collectively losing millions of dollars each year.

Typical 419 scams are executed through a wordy, poorly written email. A ”prince” has a significant amount of money, usually in the millions of dollars, and needs an offshore account (your bank account) in which to deposit those funds. Or, a person wants to enter into a “business partnership” with you in order to illicitly transfer money to the United States (or elsewhere)… and you happen to be the best candidate for that partnership! You are promised a commission, of course, for all your assistance. And don’t worry, the scammers will send you all the “official” documentation. You may need to travel overseas to complete any transactions, but who doesn’t want a vacation to an exotic location!?!

Besides leading to potentially significant financial losses for the victim, 419 scams have resulted in other, documented consequences, including kidnapping for ransom! In addition, “419 gangs” have a portfolio of tactics and do not rely solely on those long emails you often see. To whit, over 50% of scams on Craigslist and similar sites are commonly attributed to 419 gangs. These gangs are not shy, coordinating tactics openly on social media sites and boasting of their exploits. Just check out the Facebook pages of the Nigerian Cyber Hunters and Nigerian Cyber Army.

While social engineering through phishing emails is certainly very common these days, and many times included as a topic in security awareness and training programs, 419 scams are also very prevalent, yet generally not included as a specific topic for user awareness. If your organization is looking for additional topics to spice-up information security awareness, consider including information and resources about 419 scams and similar advance-fee schemes. Though the threat to the organization is low, the potential impact to your individual employees if they fall victim could be high, having indirect impacts on the organization.

For additional information about 419 scams and similar fraud schemes, see information posted by the Secret Service, FBI, and commercial sites, such as www.hoax-slayer.com.

Jeremy Kirk, IDG News Service, 7 September 2014
Originally published in The Des Moines Register December 2015

Electronic Communications Privacy Act

The digital life of everyday Iowans is under continuous attack. As a fellow with the Information Systems Security Association and the president/CEO of Integrity, a national information security consulting firm headquartered in Ankeny, I’m concerned about the lack of action Congress has taken to protect the privacy of the online communications of every American citizen.

In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to establish standards for government access to private information transmitted and stored over public networks. These public networks have become what we now know as the Internet. Nearly three decades ago, Americans had no idea that the Internet would transform the way we live and work. We use cloud providers on the Internet to store our email, phone contacts, pictures, computer backups and more. Our entire digital identity and that of our children is often stored in a large data center somewhere on the Internet. The legislation simply hasn’t kept up with the times.

Under ECPA, government agencies can gain access to anything we store in the cloud without a warrant from a judge. This loophole, written in a time when Americans hardly ever stored anything online, clearly bypasses the Fourth Amendment — a key safeguard against warrantless search and seizure for our personal property. The Fourth Amendment protects our snail mail and the files we physically store in our homes and offices. While it should protect our digital files as well, ECPA as written undermines the Fourth Amendment. ECPA reform would rectify this issue and protect our online lives the same way as our offline lives.

Bipartisan Support for ECPA Reform

Fortunately, bipartisan efforts in the House and Senate seek to bring ECPA into the digital age and fix this loophole in Iowans’ online privacy rights. The Email Privacy Act has more than 300 sponsors — a supermajority in the House — making it the most cosponsored bill in the House that has not yet passed. Meanwhile the ECPA Amendments Act is supported by almost a quarter of the Senate. Reform is also supported by a diverse group of privacy advocates, civil libertarians, former prosecutors, businesses, start-ups, and more than 100,000 individuals across the full political spectrum, but ECPA reform still hasn’t moved forward in Congress.

Reasons for Resistance

Some law enforcement and civil agencies like the Security and Exchange Commission and Federal Trade Commission are attempting to block reform to preserve their special exemptions from the Fourth Amendment, and unfortunately some congressional leaders are listening to these concerns. However, the original ECPA legislation never intended to give these extraordinary powers in the first place; it set out to protect our digital privacy.

Furthermore, the reform legislation already provides for emergency authority, such as in cases where serious injuries or deaths might occur. Some law enforcement officials claim we would be unable to stop crimes without the warrantless searches. Nothing could be further from the truth. When law enforcement is forced to work within the bounds of the constitution and not take shortcuts, we ensure due process for the innocent and are more assured of conviction for the guilty.

Moving Congress Forward

The support for reform is clear. California and other states have already passed their own versions of ECPA reform in recent weeks. Republicans, Democrats and everyone in between have come together to advocate for our online privacy rights. Now it’s time for Congress to move forward and make real progress to extend full protection of our Fourth Amendment rights to all Americans nationwide.

We use the Internet for just about everything today: emailing family and friends, saving important documents in the cloud, and sharing photos and messages on social media. In the digital age, Americans have a reasonable expectation that our private online messages are indeed private, and we deserve to have our email protected from warrantless search and seizure. With hundreds of thousands of supporters across the country advocating for reform, Congress is running out of reasons to delay.

Get our blog posts delivered to your inbox: