Robo calls are a phisher's dream

On January 21, the FBI’s Internet Crime Complaint Center issued an alert about a fake online job listing scam. Job applicants were lured to spoofed sites, drawn into the narrative with emails purporting to be from company representatives, and induced to give up their Personally Identifiable Information and payment card information.

What struck me about this story is it’s just a tech-savvy take on a typical consumer confidence scheme. The players in any scheme are the con artist and the mark. Probably the first recorded confidence scheme was perpetrated by a serpent; Eve was the mark. The con artist concocts a story that sounds real enough to cause the mark to believe it. The suspension of disbelief resulting from the mark’s confidence in the story leads to a successful scam because the mark ignores that tiny voice asking, “Does this make sense?”

News reports of data breaches resulting from successful phishing attacks are an almost daily occurrence. The consumer fraud that spawned this name is analogous to fishing with a rod and reel to land a single fish.

Con artists, though, have found that exploiting the volume and velocity offered by technology is like using a net, yielding a larger, more lucrative catch. Instead of a live caller engaging in social engineering with a single prospective target, automatic dialers call thousands of people, instructing them to call bogus telephone numbers purported to belong to the IRS, Social Security Administration, or their bank; and warning them of dire consequences if they don’t. Similarly, spurious emails can convince consumers that giving up their online banking credentials and other sensitive information makes sense.

Of course, the impact is far more pernicious when these same techniques are deployed against enterprises. Unsuspecting employees click on links attached to emails they think are from their boss, or colleague, or friend, thus becoming unwitting accomplices in infecting the organization’s network with various flavors of malware. And, to bring my painful analogy to its logical conclusion, “spear” phishing is the apt analog of harpooning, since the quarry is a “whale.”

While there are technological defenses against phishing schemes, my view is that sending employees fake phishing emails is a particularly potent awareness training tool, since it mimics the behavior it intends to modify. An employee who fails to recognize the email as being bogus and receives a message from internal data security folks is inoculated with a healthy dose of skepticism. This tactic also performs a public service, because those employees are all consumers as well.