.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
What is Trap Phishing?
Trap phishing is a phishing attack that aims to lure victims into clicking malicious links or attachments. It differs from traditional phishing attacks because it leverages the trust between the recipient and a person or brand that the recipient knows by pretending to be that entity. The attacker typically provides false information or presents a webpage or social media account that looks legitimate, essentially setting a trap for the victim.
This article explores the different types of trap phishing and the best practices you can deploy to avoid becoming a victim of such an attack.
Tips to avoid trap phishing
We summarize some tips to prevent trap phishing attacks.
Types of trap phishing
Below are five types of trap phishing that use different communication channels to lure victims.
Email phishing
Attackers create emails that look to be from genuine companies or individuals, copying everything from the email's design to the language used and urging victims to click a link or download an attachment. Attackers spoof anyone the victim might have a relationship with, from popular companies to celebrities to the CEO of their organization.
Vishing
In Vishing attacks, attackers call victims purporting to be representatives of genuine companies or individuals, urging victims to provide personal information or make a payment. They try to sound legitimate and may have collected information about you from social media profiles to enhance their legitimacy.
Social media phishing
In social media phishing, attackers create fake social media accounts that look to be the accounts of genuine companies or individuals. The attackers then post links to fake websites or malicious downloads controlled by the attackers.
Content injection
Attackers inject malicious code into a legitimate website, unknown to website owners and users. The injected malicious code enables the attackers to redirect site visitors to a duplicate, malicious site or collect personal information the victim thinks they are providing to the legitimate website.
An example of content injection is a watering hole attack. In a watering hole attack, an attacker identifies a website that many people at a target company frequent. Then, the attacker injects malicious code into that website due to the high likelihood that someone at the target company falls for the trap.
SMS/Text Phishing
Attackers send fake text messages that look to be from genuine companies or individuals. Like email phishing, attackers attempt to copy as much as they can from the brand they're spoofing, including wording, brand names, and look-alike domain names urging victims to click a link to visit a fake website or provide personal information.
An example of SMS/text phishing is if you receive a text purporting to be from your bank alerting you to some suspicious activity on your account. The text includes a link to click on to verify your details. The link directs to a website that looks like your bank but is in fact, controlled by the attacker. As a result, you may inadvertently hand over login credentials, personal information, or credit card details to the attacker.
Trap phishing example
Let's go through an example of a trap phishing attack step by step. In this scenario, an attacker tries to get the victim to provide a multi-factor authentication token so they may access the victim's bank account. Unfortunately, in this example, they have already obtained the victim's access card number from a data breach.
Step 1: The initial contact
The victim receives a phone call from what appears to be a legitimate representative of the victim's bank, notifying them of an urgent matter that requires their attention. To add to their legitimacy, the attacker mimics the scripts, everyday phrases, and answers to standard questions the bank would typically use. They also use information researched from the victim’s social media for “additional authentication,” like your city of birth, highschool, Mother’s maiden name or other data that is easy to scrape from a social media profile.
Mimicking the same scripts as the bank makes the attacker sound more legitimate. Researching their victim allows the attacker to personalize the attack (such as asking personal questions for identity verification) and answer some of the victim's questions with legitimate-sounding answers to again appear legitimate.
Step 2: Conveying the problem
The attacker presents a time-sensitive problem or opportunity with undue urgency to the victim. In this scenario, there has been some fraudulent activity on their bank account. The attacker may have even researched here to find a fraudulent activity event that would seem plausible to the victim, such as at a store or restaurant they were at recently or frequently (and posted about on social media) or a popular store or restaurant in their city.
Step 3: The problem remedy
The attacker attempts to go through as much of the usual script the bank would go through as not to tip off the victim. The lead-up to the request for information could be a short or hour-long phone call - it doesn't matter to the attacker; they're in it for the long haul.
When nearing the end of the call, after the attacker feels they have provided enough legitimacy, they tell the victim that their bank account will be locked, the money lost to the fraudulent activity refunded, and a new access card sent to them, but only if the victim can provide a multi-factor authentication code.
Step 4: The collection of information
The attacker requests that the victim provide the multi-factor authentication code from their authenticator app, a text message or app prompt initiated by the attacker attempting to log in to their bank account over the phone.
Step 5: The next attack
Now that the attacker has the victim's multi-factor authentication code, the attacker logs in to the victim's bank account and completes the next attack.
It could be to change the login details and phone number to that of the attacker, transfer money or contact the bank to sign up the victim for other services, such as loans or a mortgage, using the information in the bank account to sound legitimate to the bank.
How to protect yourself from trap phishing scams
We explain some essential precautions to avoid becoming a victim of trap phishing scams.
Check for legitimacy
Some questions you can ask before you respond to an email or phone call requesting data:
- Would a brand typically email from this email address?
- Would the brand or service call you personally regarding this topic?
- Would the brand or service representative call you from that particular number?
- Would this person commonly call you with this type of request?
Like a regular phishing email, if your answer to questions like these is a no, then this request is probably not legitimate, and you should not respond.
Beware of urgency
How urgent is the request? Like any phishing email, whatever the request may be, if it needs a resolution that instant, or if a solution is more critical than validating the legitimacy of the request, it's likely malicious.
Avoid clicking links
Avoid clicking on the links or downloading the attachments in emails or messages that seem suspicious, even if they appear to be from a source known to be trusted. Instead, use bookmarks or links elsewhere that you know you can trust and reach out to trusted contacts over a different medium that you trust (such as a phone call using the phone number on a trusted website if you received an email) to ask about the validity of any attachments. In addition, report such attachments or links to the security or IT department so that they can evaluate their legitimacy.
Avoid providing sensitive personal information
One of the goals of phishing emails is to collect personal information. Avoid providing sensitive personal information, mainly if the individual or brand does not generally communicate with you this way or if the information requested is above and beyond what you'd typically expect the individual or brand to require.
If it's legitimate that they would need sensitive personal information, check on a trusted website whether they have a standard way of collecting this information and if it differs from the request you received.
Be aware of what you share on social media
Attackers can use the details on your social media accounts to personalize and tailor their attack to you to make it appear more legitimate. Restrict access to your social media profiles to only the people you know, and be conscious of what information you're sharing on social media. One piece of information may not seem confidential or sensitive, but if an attacker combined that information with other information on your profile, could it reveal something personal or sensitive?
Enhance account security
Multi-Factor Authentication (MFA) or 2-factor authentication adds an additional layer of security to your accounts by requiring you to provide another form of verification in addition to your first form (your password), such as a token. Even if an attacker collects your password, they cannot log in because of the missing second factor. Even though they have your password, they would still need that additional form of verification in addition to your password.
Of course, this doesn't mean you don't have to create unique passwords! Each username and password combination you make should have a strong and unique password. Having unique passwords also limits the damage and recovery effort. If an attacker does get one of your passwords, they can't use the same username and password combination to log in elsewhere. You only have one password to change instead of many. Consider a reputable password manager like Bitwarden to help you generate and securely store your passwords.
Educate yourself
Avoid learning about new phishing techniques by falling for them! Educate yourself on identifying legitimate vs. non-legitimate emails, messages, phone calls, and attackers' common phishing techniques. Attackers are getting better and changing their tactics each day. Keeping up-to-date on common phishing techniques and tactics ensures you know what to look for.
Report suspicious activities
If you receive an email, message, or phone call that you believe to be a phishing attack, report it to the relevant authorities, such as your workplace or the company or individual the communication purportedly came from. While reporting an attack may seem insignificant if you've received only one email, message, or phone call, it can still benefit the company or individual because it raises awareness of the attack. If it is widespread, it can help them prevent others from falling victim.
Ensure you report the suspicious message, email, or phone call through a different medium than the one you received. Otherwise, since the attacker controls the communication medium you received the suspicious message on, you could end up communicating directly with the attacker instead of the company or individual, and your notification would go unnoticed.
Ensure devices are kept up-to-date
Keeping your devices and software up-to-date ensures that any security updates to patch vulnerabilities are applied. In addition, minimizing any vulnerabilities an attacker exploits could save the day if you click a link or open an attachment and then realize it was a phishing attack.
When In Doubt
If you’re not sure whether an email or text you’ve received is legitimate or not, contact the person or company through a medium that you know is good to confirm. Examples of a known good medium would be the phone number found on your bank statement or at the back of your credit card, or the customer support email address you’ve used in the past.
Conclusion
Trap phishing is a phishing cyber attack that aims to lure victims into clicking malicious links or attachments to steal passwords, hijack accounts, or set them up for future attacks. Trap phishing differs from traditional phishing attacks because it leverages the trust between the recipient and a person or brand by pretending to be that entity and using a fake webpage or social media account.
You can keep yourself secure and avoid becoming a victim of trap phishing attacks by checking for signs of legitimacy, being aware of the urgency, avoiding clicking links, avoiding providing personal information, being aware of what you share on social media, using MFA and unique passwords, educating yourself on phishing attacks, reporting suspicious activities and ensuring your devices are kept up-to-date.