I get a text, call, or Facebook message almost daily from some odd party, asking how I'm doing, or even being brazen enough to kick off with "I need you to send money to this account." Sometimes it's the predictable Amazon customer returns, trying to get me to provide a credit card. About a week ago, it was a guy yelling at me that the electricity at some property I have in Georgia was about to be cut off if I didn't provide a credit card right then to settle up on back due moneys. This being supposedly from a company that provides electricity to my house in Minneapolis for undeveloped property (and so no electricity) in the wrong state. They did research, so knew the company I pay for electricity and that I had property in Georgia - but they just kinda' missed the mark. The guy yelled and cussed that I could go to jail for not paying my bills. It was actually intense. It's a false sense of urgency they're trying to create. It's just regrettably become a part of the digital modern lifestyle.
Last night something new happened - someone impersonating me texted at least three people I know and said hi from me. Luckily for my friends, they didn't exactly sound like me. They sent the text from a number in a different area code than I'd almost ever be in. They signed the message with my first and last name. They used poor grammar (although in their defense, I frequently do as well, but in a very different way). In short, the messages just didn't look authentic. And they weren't.
The internet offers a vast ocean of information, connection, and can make us far more productive. Lurking beneath the surface are threats designed to steal personal information, money, or even your identity. It's always been that way. Keep in mind, the Internet was built to connect scientific researchers to one another to exchange information. It was, from the very beginning, permissive. Early pioneers in computer security like those described in Cyberpunk by Katie Hafner and John Markoff in 1991 or The Hacker Crackdown by Bruce Sterling in 1992, describe hackers who primarly worked by guessing weak passwords. Most scams simply use some of the same social engineering techniques now 30+ years old to trick people into giving up their credentials, but en masse.
In other words, the attacks aren't incredibly sophisticated, or really technical, in nature. Instead they're just like the phone call mentioned earlier: they might come with a little background information (like coming from someone you work with, which is publicly available information on LinkedIn). Sometimes they're just massive email campaigns that target nearly every address on a given domain (e.g. a directory harvest attack). It's all so common that we've now begun to classify some of this, when we used to just lump a lot of it under the term of "social engineering."
Phishing, spear phishing, and catfishing are all deceptive tactics online predators use to exploit unsuspecting victims. Understanding the differences between each and actually classifying them then allows us to isolate tactics to avoid becoming a victim, rather than a target. That kind of deeper thinking is much easier under the guise of a framework. Let's classify the threats:
Phishing: This is the most common type of online scam. Phishing emails or messages (text messages, social media DMs) try to trick a receiver into clicking on malicious links or attachments. These can lead to fake websites designed to steal your login credentials, credit card information, or other sensitive data. Phishing messages often try to create a sense of urgency or impersonate legitimate organizations (banks, credit card companies, etc.) to pressure the party into acting quickly without thinking critically. One of the best types of protections against a pure phishing attack is to use passkeys on sites where available, as passkeys won't work on a dummy site.
Spear Phishing: A more targeted version of phishing, spear phishing emails are crafted specifically for an individual victim. Attackers might gather information about a victim through social media or data breaches, then use that information to create a more believable email. For example, they might impersonate a boss, friend, or family member, sending an email with a seemingly urgent request to trick the person into clicking on a malicious link. Passkeys will help if that link is a fake site. Another protection against this type of attack and phishing attacks that attempt to load malware is built-in browser support for "malicious" sites. Another is, of course, a good malware or even persistent threat/threat hunting software package. At the enterprise level, it also helps to use a suite of security tools, including technologies like a ZTNA. But it all starts with user education: look at links before clicking on them.
Catfishing: This deceptive tactic involves creating a fake online persona to lure someone into a relationship. Catfishers often use stolen photos and fabricated stories to build trust with their victims. Sometimes it's a text from someone pretending to be me, even! Their goal might be emotional manipulation, financial gain, or even gathering personal information for identity theft purposes. The only real way to avoid these kinds of attacks gets back to user education. There's little difference between this and other types of fraud or manipulation previously done in person or over land lines. It's a grift probably as old as a time when there were enough humans that .
Now let's cover some ways to find protection in these social engineering scams:
Beware of Unfamiliar Senders: Be wary of emails or messages from senders you don't recognize. Don't click on links or attachments from unknown sources. This includes texts from the wrong phone number!
Verify Sender Legitimacy: Beware of any message with a link, including those that appear to be from a legitimate organization (bank, credit card company, etc.). Don't click on any links within the message. Instead, log in directly to the organization's official website (by typing the web address yourself) and check the account information there.
Spot the Red Flags: Phishing attempts often contain red flags. Look out for:
Generic greetings: Emails with a generic ("Dear Customer") instead of using a name are a red flag. Although those that use a real name aren't that hard to craft, as anyone who's used Salesforce with one of the many data plugins or Hubspot knows.
Poor grammar and spelling: Legitimate companies typically have good grammar and spelling in their communications. This is one of the ways the Lazarus group lost out on money they were trying to launder after they hit the national bank of Bangladesh. All it takes is one person to spot a spelling mistake to stop the inappropriate transfer of millions of dollars (or $20, it's still victimizing).
Urgency and Pressure: Phishing emails often try to create a sense of urgency or pressure to trick the receiver into acting quickly without thinking critically. Never transfer money or give credentials when there's a false sense of urgency. Further, don't do that in In-App purchases for games either! It's a different kind of grift, but still totally a grift (just watch any movie about con jobs)!
Suspicious Links: Hover the mouse over a link before clicking. The actual destination URL might be different from what is displayed in the text. That's a huge red flag and most mail apps should have blocked it anyways, but kinda' don't always).
Don't Share Personal Information: Never share your personal information (passwords, credit card details, social security number) through email or unsolicited messages. Legitimate companies won't ask for this information via email.
Be Wary of Online Relationships: Catfishing thrives on trust-building. Be cautious of online relationships that develop quickly or seem too good to be true. Avoid sharing personal information or sending money to strangers whose identity can't be verified (like a representative from the electricity company). Anyone asking for financial data will be happy to have you call their main number and provide financial details (also don't trust the number they give you, look it up independently)
Use Strong Passwords and Multi-Factor Authentication (MFA): Use strong, unique passwords (or better, passkeys) for online accounts and enable multi-factor authentication whenever possible. This adds an extra layer of security to prevent unauthorized access even if your password is compromised. If the site doesn't have MFA, some secret managers, like Secret Chest, can provide that added layer of security before just giving up the password from the secret manager database.
By classifying some of these online threats, we can thin deeper about how to prevent them. Following these tips significantly reduce the risk of falling victim to phishing, spear phishing, and catfishing scams. Remember, if something seems too good to be true online, it probably is. Always be cautious, verify information, and never hesitate to report suspicious activity to the relevant authorities. Staying vigilant, and look for further innovations in tools like ours to hopefully ponder this problem space and try to keep making it more and more secure without adding much friction to the experience (and so reduce the productivity increase this is all here to give us).