Phishing is a known scam to most people, if not all. In a phishing scam, the Internet users are lured with potential monetary or other gains. Moreover, sometimes they are scared with fear of financial losses. For identifying phishing scams many posts have been written. However, they do not discuss complex multi-party ‘phishing for money scams’, where individuals have lost thousands, corporations have lost millions, and FBI estimates total losses exceeds billions. In this post I explain with illustrations how phishing for your money scam works.
The scam involves at least three entities: (1) The victim of the phishing scam, (2) a financial institution where the victim has her/his assets (read — money), and (3) the phisher. The phisher could be one or more parties. In the diagram I have divided the phisher into three parties. They are mailer, PSI (read —victim’s login credentials username, password etc.) collector, and cashier. This is because, a phishing scam for money usually involves three entities. There are many reasons for this division of efforts among three entities. The most important reason is avoidance of detection by law-enforcement authorities.
Mailer Initiates the Process of ‘Phishing for Your Money’
The mailer sends carefully ‘social engineered’ email to the victim. It could be very friendly email that appears to be from the victim’s bank or other financial institution. It may inform the victim to update his/her password or about some suspicious activity in the victim’s account. For example, it may be an alert for an withdrawal from a remote place or country or at an unearthly hour. Because the objective of the mailer is to make the victim take an immediate action. The links in the email leads to a website that looks like the victim’s bank website, but is it NOT — is is a FAKE look-alike website; similarly, the toll-free telephone number in the email will lead the victim to an operator who is part of the scam.
In the figure, this is Step ‘1’, but the victim thinks that the email is from his/her financial institution (Step ‘a’ in the figure).
Most of the time, millions (or even billions) of phishing emails are sent for one scam. Thus, even when only a very very small fraction of email recipients respond, phishing would be successful for the malicious actors. There are other situations, where victim’s publicly know information, such as name and job titles, is included in the email for higher success rate. This type of phishing is know as spear phishing.
You Give PSI to Those Who are ‘Phishing for Your Money’
If the email is successful, the victim follows a link in the email or calls a toll-free telephone number. The Step is numbered ‘2’ in the figure. Unfortunately, the victim thinks that he/she is taking Step number ‘b’ in the figure, and he thinks he is doing it to protect his/her money. Because, the email is prepared using great social engineering technique, unsuspecting victim has come this far and will not have any guard. Thus, when the victim takes this step, they will now provide the PSI in the next two steps.
These are Steps ‘3’ and ‘4’ in the figure, but the victim thinks that he/she is taking steps the Steps ‘c’ and ‘d’. In Step ‘3’ the victim reveals the username, and in the step ‘4’ he/she will provide password. Thus, the PSI collection is over. It is worth noting that the process involves no physical threat to the victim, and he/she is giving PSI without any hesitation. If the whole scam is an organized criminal operation, the PSI collector will pass the gathered information to the cashier. Or the PSI collector could sell the information to one or more ‘cashiers’.
The Final Player in the Game of ‘Phishing for Your Money’
The cashier is the final player in the ‘phishing for your money’ scam. Mailing and PSI collection occurs in quick succession. But the time between when the PSI is collected and the ‘casher’ transfers money from the victim’s bank could be short or days, or weeks, or months. When all three parties involved in the ‘phishing for your money’ scam, the ‘casher’ is expected to act quickly. But it is important to understand that the information gathered by the ‘PSI collector’ could be useful for a long while. If the user does not change login credentials regularly or the bank does not requires the customers to change them periodically, the user may be using the PSI for an longtime.
Before I finish this post, it is important to remind the users to stay alert against all phishing scams. Nothing has happened to you or your clients, does not mean that it will NOT happen in the future. Remember, when it comes to cybersecurity, past records are not predictors of the future. Clearly, malicious actors are looking for new victims and discovering new ways to mount attacks. Always stay alert.
Another mistake most of the people most often does is using same password and user name for multiple accounts ( I do understand why — convenience). But this is very dangerous. It does not matter how inconvenient for you to have a separate set of credentials for each login account, please please have separate login credentials for each account.
STAY SAFE in the Cyberspace.