I’m continuously bombarded with phishing attacks through email, texts and phone calls. Many of these are multi-pronged meaning they include many ways for the attacker to be successful. I highly suggest approaching these attacks with an open logical mind and not act on feelings. Most of these attacks are built upon driving you to take a quick action based on emotions. Language will include “click now / your account is expiring / a package isn’t going to be delivered / your account is locked” … anything to get you to be interested and act now.
Some examples of attack prongs are the following:
- Claiming payment is due or asking for payment
- Asking for sensitive information
- Clicking a link for whatever reason
- Calling a number to speak to a support representitive
- Paying for overpayment, which the overpayment isn’t real
For example, I receive text messages about if somebody knows me or just asking random questions. The goal is for me to respond, which prong 1 is determine if my number is real. It is likely this is a massive text blast with hopes of having some people respond. Prong 2 could be making a claim and posting a link, which that link takes my device to an exploit kit. If I don’t click the link, the conversation could switch to prong 3, which is asking me questions with the goal of collecting data on me. An example of the overpayment prong is common on craigslist. Somebody will offer to pay more and mail a fake check (see my post on fake checks HERE). The hope is I wire the overpayment before the check bounces.
I bring up this topic because sometimes it’s hard to understand a scam when you are in the middle of it. You also may see one part of the scam, however, fall for another prong. ZDNET posted about their research on a PayPal scam, that is pretty interesting HERE. In short, the attacker sends out a request for 699 dollars. The hope is somebody just clicks to pay it, which is unlikely but could happen. Prong two of the attack is the attacker providing a support line, which will likely be an expensive phone call. Prong three would be asking the victim questions leading to a collection of sensitive data.
The best approach to responding to these scams is to not respond. Just block them. There are groups that do the opposite, aka they play out the scam with the goal of wasting the attacker’s time hence absorbing the attack vs allowing the attacker to move to another victim. I won’t say that’s a bad thing, and I will admit it’s fun but be careful of the multi-prong attacks.