What exactly is Phishing? It smells fishy, sounds like fishing, and it is exactly fishing.
Knowing how social Filipinos are, almost everyone doesn't like being late in knowing who's an item in the office or who likes who, or what successful neighbors are doing to be successful. And so, we non-chalantly fish for information about it. That is exactly the core function of Phishing. It is to gather Personally Identifiable Information (PII) or information which can be used to identify individuals.
The most common definition of Phishing you will find online is about trying to solicit your personal information, credit card details, username, and password through email and other electronic means. It does mention other electronic means, but it mostly focused on sending emails & in combination of other somewhat resource & time intensive setup of having to craft a believable email, purchasing a convincing domain, crafting a similarly looking online portal of the target data/system. Unfortunately, it is not the only implementation of a Phishing Scam. Below is an example of Phishing Scam using SMS or if we are forced to use a term specific to the attack vector, example of Smishing.
It would be common sense to ask why is this being tagged as a Phishing Scam? Let's dissect this simple message.
- First, the sender is a simple SMS number and not of the established 4 number or special trackable alias purchased from a Telecommunication Company. i.e.: BPI, BDO, etc. A special alias for a number costs hundreds of thousands of pesos and something no phisher will spend unless they are willing to expose a lot of themselves than what is needed to register an alias for their scam (fraud registration in itself will expose them to more risk) or that their Return of Investment (ROI) is of a hundred folds.
- Second, Data Integration, Analytics, and Reporting developers, considering the nature of the message, will most likely recommend scheduling sending out SMS during the time of day where the target recipient will mostly like be able to respond. If you are the type who works late in the evening up to wee hours of the morning, then most likely the attack is targetted. All the more reason you should mentally flag the message as something not to be trusted. No matter how appealing the "Free Annual Fees" is to you.
- Third, legitimate banking related institutions will never ask for personal information over SMS. The sender was asking for "FULLNAME".
- And last, even if we disregard item 3 in this dissection and assume that banking institutions do this, remember we briefly tackled Boundary of Trust in our The Internet Is Not Safe post. The owner of the number is not listed in the address book or a known number, therefore, do not trust the sender.
If you have objections about the thought process put into this, feel free to add to our knowledge or contribute an opposing idea through a pingback or a comment down below.
Exception
Understandly, there are legitimate bank employees who will be asking you the same question. However, they will most likely transact with you via a phone call. If this happens, the general advice is to never give away your personal information to the bank personnel over the phone or any other means except by getting their identification & scheduling to visit the bank in person to talk about it. Sitting down with the bank personnel in uniform, proper identification, and in the place of business of the bank is your only best option.
Consensus Solution
Do not trust the sender. DO NOT TRUST THE SENDER.
Be Part of the Solution
Now that you know about this, help make our citizens be more aware about the dangers in electronic communications. Share this post or echo whatever knowledge you gain from this. Thank you!
Comments
Post a Comment