Clickjacking, SIM Swapping, and Smishing
| 4 min read
As our world becomes more connected, the threat of cybercrime continues to grow, making it one of the largest looming threats for businesses and individuals.
According to Gallup's Annual Crime Survey, 23% of Americans reported being a victim of cybercrime or having a family member who was a victim. Meanwhile, Accenture's Annual Cost of Cybercrime found that cybercriminals targeted small businesses 43% of the time. This presents a major problem for small businesses, who are often unable to afford the types of cybersecurity protections available to larger businesses.
Fortunately, there remain ways for businesses and individuals to protect themselves against cybercrime, but it starts with knowing what to look for. That’s why we enlisted SiteLock Research Analyst, Blake Collins to help us sniff out the latest types of cyber fraud and advise our Members of the best ways to prevent fraud.
While clickjacking has technically been around since 2002, and today’s cybercriminals have included it in their go-to toolbox. Also known as a User Interface redress attack, clickjacking is a form of phishing attack, which relies on a user unintentionally clicking a link that leads to a malicious outside source.
As its name implies, your click is “jacked” once you’re sent to the external site, which asks for personal data, such as bank account information or your Social Security Number. Other clickjacking attacks may urge you to turn on push notifications, enabling the attacker to track your online behavior.
Collins says that clickjacking is a pretty simple process, despite the enormous danger it poses. “The clickjacker creates an iframe that covers up the button they want you to click,” Collins says. “This might be a cat video, an offer to claim $1,000, or anything that triggers a behavior. But once you click the iframe, you’re actually clicking the button hidden underneath.”
How to Stay Safe
Taking the extra time to understand what you’re clicking is the best defense against clickjacking attempts. If you do find yourself clicking on a link that opens a new website, be wary of entering any personal information.
For those worried that they might be a clickjacking victim, Collins recommends changing your passwords. He also suggests keeping an eye on your social media and email accounts to see if any unauthorized activity took place.
SIM swapping is another cyber fraud technique on the rise, with the US Fair Trade Commission finding a 150% increase in the practice from 2013-2016. SIM swapping allows a criminal to essentially take control of your phone without your knowledge, a dangerous threat in an age where our whole lives are contained within our phones.
The scam begins with the cybercriminal gathering personal information from your social media accounts or a phishing attack. They use this information to bypass your mobile carrier’s security measures. The final step involves transferring your phone number to a blank SIM card in the criminal’s possession.
From this simple set of steps, a criminal has now gained nearly complete control over your phone, enabling them to access your social media account, bank accounts, email, and anything easily accessible from your phone.
How to Stay Safe
Obviously you want to steer clear of a devastating SIM swapping attack. With so much information held on our phones, a SIM swap could result in identity or financial theft.
Battling SIM swaps starts with figuring out a better way to complete two-step authorization, the process by which you reset passwords and verify identity. Typically, two-step authorization is carried out through SMS, which you will lose access to in the case of a SIM swap.
Apps like Google Authenticator, Duo, and Authy provide an extra layer of security connected to your physical device rather than your phone number. Even better is Yubikey, a small USB device used for authentication that fits on your keyring.
If you think you may have become a SIM swapping victim, be vigilant about your social media, email, and bank accounts. If your phone stops working or you’re no longer able to send SMS messages, contact your mobile carrier immediately to report the fraud.
In the past, cybercrime has mainly focused on websites, email, and other online activities. But cyber criminals have increasingly spread their reach through text messages. Smishing is a form of phishing attack intended to trick you into providing private information via SMS message.
A typical smishing attack involves sending links purporting to come from your financial institution. The link is often accompanied by a frantic messages requiring an immediate response, such as notices of money stolen from your account. In this case, once you click the link, you’re led to a replica site of your financial institution and asked to input personal information.
How to Stay Safe
We’ve become conditioned to think that text messages are safer than websites and emails, making smishing an especially tricky form of fraud. But when you add critical-sounding messages, you’d be surprised how easily criminals can persuade us to give away our most personal details.
Collins advises users to always be skeptical of text messages containing links. This is especially true if the message comes from a number you don’t recognize. If you’re concerned about the message and need to verify whether it’s real or fake, try contacting the organization directly. Most financial institutions, including Vantage West, will never request personal information by text.