Articles about website spoofing, cybersecurity trends, and how to protect your customers from hackers.
People often watch out for malicious, fraudulent links in emails and text messages, and many receive training to spot telltale signs of an obvious phishing attempt. The typical protocol is to report the email as malicious and delete it. That makes sense, but maybe not.
Lying is natural. As the saying goes, we all lie to ourselves all the time. But what about lying to the phishers? With this tactic employed at a large scale, phishing wouldn’t be nearly as lucrative for the fraudsters in the e-crime business.
Let’s look at a specific example: A real phishing page extracted from a feed of detected malicious sites. Undoubtedly, this authentic-looking bank page asks for the user’s credentials and credit card information. However, phishers have gradually gotten more into the business of identity theft, not just credential theft. This particular page (and many like it) asks the user’s personal information and their social security number. (They are also after security questions and answers from the user to scour other sites to impersonate that user.)
Spotting these unusually probing questions in any webpage, especially a banking page, is an immediate giveaway. If a user sees any page asking for their private information, social security being a top draw, don’t close the tab – simply lie.
Willfully give up a random social security number (as long as it isn’t 123-45-6789). In other words, use intelligent lies. Give the phisher what they want – information that you know is fake but they don’t. If this was commonplace when confronted with a phishing page, the phisher would receive tons of believable fake information from dozens of IP addresses. No harm comes to the user when lying to a phisher. Sifting through fake credentials, however, may take them hours upon hours.
If for some cases the site is a legitimate one, giving them a fake social security number does no harm. The legitimate site will follow up and contact the user to correct the mistake. This gives the user a chance to inquire why they are asking for a social security number over the web. That information is irrelevant unless the user is applying for credit or applying for a job. Other than those legitimate cases, it should absolutely not be asked to log on to an existing account.
Don’t close the tab, lie to the phisher. Have some fun.
If you want to learn more about internet fraud, follow our blog at https://www.alluresecurity.com/blog/
Posted by Mitch W