By Frank Artusa
This month New Yorkers were blanketed with scam text messages requesting payment of unpaid tolls. Another growing text based scam involves receiving messages from “wrong numbers” where the scammer attempts to then engage in casual conversation in order to befriend the victim and steal information. Perpetrators are utilizing increasingly sophisticated techniques and deceptive practices like these to trick people into providing access to their most valuable data.
In recent years phishing, smishing, and vishing have become three of the most common attack vectors, among a dizzying array of others for compromising personal identifiers, valuable data, mobile phones, and computers. In 2024, the Federal Trade Commission reported $12.5 billion in fraud related losses suffered by the American public with identity theft and imposter scams comprising two of the top three categories.
Phishing is a scam where an attacker sends an electronic communication, usually an email, attempting to obtain access to financial accounts or other protected data, typically by getting a victim to click a link or enter personal information into a fake website. Other variations on this technique include vishing, typically done utilizing a voice call and smishing, a deception attempt via a text message. These are just a few of the common types of attacks, among many others, and it’s becoming quite a challenge to discern truth from deception.
In the realm of enterprise level cybersecurity, a best practice for keeping attackers out of networks is to adopt a “default deny” approach, that is, to block all access to business systems unless explicitly permitted via an allow list. Following this perspective to protect personal devices and accounts can also be beneficial to stopping bad guys by denying all attempts of communication from unknown numbers and email addresses.
When an email is received from an entity purporting to be a financial institution requesting personal information, never respond. Deny this solicitation by default and call the institution directly to verify the request. With text messages from an unknown number, stop the smishing attempt by not responding and immediately deleting the message, or call the sender directly to verify the legitimacy of their request. Individuals should never click on any links.
Vishing scams, which historically have been based on simple phone calls from people attempting to persuade victims to reveal valuable information, have now unfortunately evolved into attackers scouring social media accounts for the names of family members and even obtaining samples of their voices through pretext phone calls, then tailoring a targeted scam with an artificial “deepfake” call from the alleged family member. Again, in this case protection is achieved by denying the scammer from the outset and calling that family member or friend directly to verify.
Retirees are particularly vulnerable because they are less likely to be aware of the evolving cyber criminal landscape through work based training programs and are more accustomed to trusting historically dependable methods of communication like basic voice phone calls. The sad truth is that a high level of skepticism of all communications is necessary to combat these threats and protect important financial and personal data in both personal and professional environments. If any type of communication or correspondence is unusual, opt for a default deny approach.
Individuals who are victimized should contact the impacted financial institution to report and prevent further monetary damage. Concerns relative to stolen identity can be addressed by following the steps listed at www.identitytheft.gov. Unfortunately, cyber criminal investigations can be quite challenging due to the international nexus of most incidents; however, reports should be made to your local police department as well as to the Internet Crime Complaint Center at www.ic3.gov.
Frank Artusa is a current cybersecurity professional and retired FBI Special Agent.
