By: Jamélie Myre
When someone hears phishing they can easily think that boats, fishing rods and fish are involved. Although it is similar, it’s not quite the case, this type of phishing is malicious. Comparably, you are the fish, the device/web is the boat and the hacker is the phisherman with the lure.
Phishing is a cyber attack that everyone should be aware of in order to avoid falling victim. Most commonly sent through emails and in disguise as familiar platforms used, phishing attacks appear to you as trustworthy sources in order to trick you into sharing personal and sensitive information. They then use the leaked data to either drain funds or to deploy malicious software on the victim’s infrastructure.
Phishers will oftentimes use fear and urgency, while offering help for your inconvenience in order to compel you into acting quick on clicking links or opening attachments. At times those attacks are easy to depict, while there are a lot of instances where cyber criminals get sophisticated:
- Clone Phishing is when a hacker makes an identical copy of an email you’ve already received, adding “resending this” alongside a malicious link, and ‘continuing’ the exchange while pretending to be the real sender.
- Deceptive Phishing is when a hacker uses deceptive technology in pretending that they are the real company to inform the targets that they are already involved in a cyberattack, luring the targets to click on the malicious link.
- Social Engineering attacks are psychological manipulation performed by the hacker to persuade a person to share confidential information or to perform actions.
- Website Spoofing is when the hacker creates a fake website, identical to those you trust. While logging in to your account, the attacker gathers your information.
Other forms of phisherman, or scammers, will appear to you in direct messages luring you to interact with malicious links and websites, sometimes pretending to be someone you know and trust tricking you into submitting even more. The most important practice is not to believe everything you see or read and to always think before you click.
How to Detect Phishing Scams
There are several pieces of evidence you can observe and find in detecting a phishing scam to avoid becoming a victim:
- Requests to verify sensitive or personal information and the usage of fear or urgency.
- Unexpected or unusual attachments that may contain ransomware.
- The message is poorly written and contains logos that are oddly placed or a too good to be true message, in the case where you win something.
- The attacker uses a free email provider such as Gmail, Outlook or Yahoo instead of a custom company’s email.
- Misspelled emails and URLs, or the use of subdomains.
Security specialist and auditor of MetaLaunchers, Orlando Gonzalez, shared the most recent phishing scam he had encountered through SMS. The text claimed to be from the United States Postal Service. “My first reaction was to check it out, and I noticed one thing in the link. It was supposed to come from USPS but the link was written as upas-uoddkaei… that’s not a USPS link.” he said. Furthering his investigation into seeing if he could detect other pieces of evidence, he noticed that “the website page was identical, but in this particular case none of the other buttons functioned, not the FAQ, not the search bar, nor the menu. To get further confirmation that this was a phishing attempt and fake website, [he] copied the tracking number that was shown to [him] and entered it into the actual USPS page, which turned out to be an invalid number.. No package was assigned to that tracking number.” This is a prime example of Deceptive Phishing mixed with Website Spoofing. “This page was created to steal my identity,” Orlando concluded.
While all of these phishing scams are general to the online community, many of these occur on the popular Discord instant messaging platform where a lot of big projects hold their main hub for their investors. Those main hubs are called Servers and they, just like the members who utilize discord, can easily be targets of these attackers and unfortunately be compromised. Accounts with a lot of permissions within the server or Bots that help moderate the server can be compromised and in turn jeopardize the entire server. To have Bots enter your server you must be the Admin and invite the Bots in allowing them permission to your server. It is very important to DYOR (do your own research) on a Bot prior to inviting one into your server.
In relation to accounts being compromised, “the major phishing target when it comes to web3 or NFT space, is predominantly on Discord where projects host their communities. The main target for attackers is the discord token, which gives the attacker access to have complete control over an account. The accounts targeted are usually a project founder, CEO of a startup that is hosting a community in discord, moderator, or someone who is in power`` Orlando explained during an interview… ‘’When they have control of their account, it’s very easy for the attacker to disguise themselves as their victim and post a phishing link, … to steal funds from the community.”
Professional Auditor and early adopter of cryptocurrencies Jon_HQ alerted his twitter audience of this new type of phishing attack that occurs through Discord Bots, or verifying your account through a Bot. In sharing this image, he said “I’ve made an image showing a valid oauth request on the left, and the scam oauth on the right… ALWAYS check where you’re being redirected to.” In reply to himself as a thread in addition to alerting his audience, he notifies to “ALWAYS be super careful about entering your Discord login information anywhere… Check the URL. Cut the domain out and manually type in ‘https://Discord.com' when you get sent to a login page” and to be aware because “This scam oauth request MIGHT BE LINKED BY A REAL BOT. But it will go to the fake [one].”
Overall, there are many ways to identify a phishing scam. You simply have to remain alerted when a company ‘reaches out’ to you, through email or text, and to always look out for the smallest differences that can easily be red flags. Most of all do not fall into the fear they are attempting to feed you and always double check with the real sources.