Allure Security Navigation Logo

Identity Theft: From Phishing, to Smishing, to Vishing


Your Internet persona, or digital identity, is of great value and constantly sought after by hackers, scammers and fraudsters. Believe it or not, your risk begins as soon as you are born. That’s right, your birth certificate is the first Personally Identifiable Information (PII): the birth certificate, issued by an authorized hospital, recorded by a government agency, that forms your “foundational identity.”

Foundational identities establish who you are, at least in the eyes of the government who grants rights and privileges based on them. From that point, governing bodies issue a number of “functional identities” like your driver’s license issued by a state who has tested whether you can operate a vehicle, retirement benefits (social security numbers), ability to travel abroad (passport numbers), or buy beer legally.

The longer you live, the more complex your identity becomes – both philosophically and digitally. Your actions online and off produce an abundance of PII. Every time you open a new account or credit card, a new functional identity gets created; and that PII can then be used to establish other accounts. PII is essentially a link to your transaction history held by credit bureaus, who analyze this data to rate your ability to repay. PII largely links your functional identity with your foundational identity. PII is the key to creating additional functional identities by a process that verifies that you are who you say you are.  

While this wealth of personal data opens up opportunities for the individual, it also creates a tempting attack surface for fraudsters. With stolen PII, a fraudster has the tools to effectively impersonate you and gains access to all the rights and privileges of your identity. 

Credentials: the Keys to Your Identity

Right now, the best protection you have against identity theft is the lowly password, or credentials, and perhaps secondary authentication. Biometric credentials have been widely used to unlock phones, but the technology isn’t sufficiently accurate to be widely deployed elsewhere. In the war against cybercrime, the password is woefully inadequate.

There are no eyes on the internet (not yet), so credentials are easy for fraudsters to steal and masquerade as legitimate entities. The process of verifying identities online is largely broken, and many cybersecurity researchers are working to create a better infrastructure in order to thwart identity theft by relying upon advanced cryptographic technologies. For example, the W3C organization issued a proposal for a new infrastructure to verify credentials. A number of organizations are proposing blockchain-based technologies for verifiable credentials.  These proposed technologies indeed will make it harder (but not impossible) for fraudsters to easily steal credentials. However, none of these new technologies take into account the human factor. The reality is, users will still be in the loop, and therefore they can still be tricked into revealing their secrets. 

Fraudsters steal identities by stealing credentials; it is their business. And they do it by tricking people to hand over the credentials themselves. A fraudster needs to reach out to a user who provides their password simply by keyboarding it. Easy.

They deceive users by presenting themselves as a legitimate entity the user knows or trusts. This works effectively if they can reach the user directly.  A simple internet search provides many ways to reach many users. 

The Many Flavors of Phishing

The primary means of communicating with users is via Phishing emails that look like a legitimate message from a trusted entity. The URL links embedded in these messages herd the user to a bogus but realistic-looking website of the trusted entity. The spoof website is convincing enough to deceive the user into entering their password. 

The problem has grown so pervasive that many email providers have deployed filtering technologies to reduce this large-scale abuse. How do fraudsters respond? They simply move on to new territory with fewer obstacles to reach their victims. 

If emails won’t get the job done, fraudsters can send bogus SMS messages that deliver URL links for the same purpose as phishing emails. This is known as Smishing, and it’s on the rise, largely due to a lack of defense deployed by text messaging providers. But in time Smishing, too, will be filtered, just like email. This will force fraudsters to improve their game and move to other attack vectors, such as spoof voicemails. 

Vishing is becoming far more common and effective in deceiving users, although perhaps a bit harder to scale for the fraudster since they generally need a human to conduct the voice communication scam. 

Regardless of the vehicle–phishing, smishing or vishing–fraudsters masquerade as a known entity, deceiving the user who believes they are communicating with a business they trust, and they reach the victim user by any means, email, text or voice. What can we do about this?

Training people to be vigilant might reduce the success of fraudsters in stealing credentials and identities. But too many people still get tricked, especially as attackers become ever more sophisticated. Phishing emails and websites of the past were easy to spot, but the new generation of attackers have refined their skills; bogus emails and websites look nearly indistinguishable from the real ones.  No amount of training to be vigilant will do the job. 

Filtering phishing emails is common for modern large corporations who run vendor security systems, but these techniques aren’t generally available to most users. 

Early Detection of Web Spoofing: The Best Defense

The best strategy is to identify the phishing sites via the spoof URLs delivered to the victim. That’s something that can be done automatically and very quickly with the right techniques. Shutting down the phishing sites before they have been live for very long will provide the best protections from successful identity theft. No amount of user vigilance will be needed to identify phishing sites if we rapidly detect these sites as soon as they show up online. 

Contact Allure Security today to find out how our solution detects spoof sites in real time. If you would like our security team to investigate a suspicious website, visit our online portal to report a site.

Post Date