Cybercriminals know many of us have FOMO, and they take advantage of major events to trick us into handing over sensitive information. Lomy Ovadia, SVP R&D at IRONSCALES, discusses how to protect yourself against phishing scams and texts designed to gain access to your user credentials, bank account numbers, and other sensitive data.
With depressing regularity, scammers are taking advantage of the latest major event hitting the headlines around the world today. They see the three million soccer fans looking to buy tickets to this year’s FIFA World Cup 2022 as one thing only: three million possible meal tickets. Already, the threat actors are hard at work, clogging the internet and mobile networks with a deluge of emails and text messages claiming to be from World Cup organizer FIFA and offering hard-to-come-by tickets for sale. Don’t fall for it, because the messages are the latest iteration in long-running phishing scams.
Cybercriminals commonly use phishing emails and texts to gain access to your user credentials, bank account numbers, and other sensitive data. As is the case with the World Cup – taking place in Qatar from November 20 through to December 2022 – cybercriminals often take advantage of major events dominating social discourse while offering something everyone wants but which is in short supply. In other words, the social engineering of tricking you into handing over that sensitive information is combined with that other aspect of our psyche which comes to the fore: FOMO, or Fear of Missing Out.
Be assured. In all phishing cases, missing out is far preferable to losing your money.
See More: 7 Tips to Better Combat Cyber Threats in 2023
How Phishing Works
For those unfamiliar with the technique, phishing is a scam where criminals send out emails (and sometimes text messages) masquerading as a reputable company. In this case, the phishers pretend they are FIFA or representatives of FIFA. The emails are dressed up to look legitimate, with ‘official’ logos and sometimes even decent language and a seemingly reasonable offer. However, on close examination, you’ll find discrepancies: the address from which it was sent, and especially the web addresses they seek to send you, won’t align with legitimate ones.
The scam kicks into gear when you click on those links. They will often redirect you to a site that looks similar but (again) has a weird or insecure web address. The email and the site entice you into entering card or bank details, ostensibly for ticket purchases – but there are no tickets, just a fraudster harvesting your information and likely using it for an instant shopping spree if you hand over the data.
There are multiple variations on the phishing theme, including ‘spear phishing,’ where specific companies or groups are singled out for a targeted attack (FIFA scams potentially fall into this category), ‘whaling’ where a specific high-ranking person is targeted, and ‘smishing’ which is the TXT-message technique.
Phishing attempts often increase during major events like the World Cup because scammers are smart and know that when FOMO kicks in, people drop their guard. We all do it. We get excited, we get distracted, we get a little bit gung-ho and greedy, and we’re less skeptical of the emails hitting our inboxes.
Protection Begins with Awareness
If you’ve read this far, you’re well on the way to better protection from phishing. That’s because the first step is awareness. Knowing what’s happening and the mechanisms behind it all raise your guard. When an unsolicited email offers something that seems too good to be true…well, it probably is. Even when those emails come from a company you know and trust, but are not expecting, be wary. Always look for telltale signs of something untoward, like spelling slightly off, an odd sender address, unusual links, or complex domains.
Phishing emails often urge you to take immediate or time-sensitive actions: ‘CLICK NOW OR THE TICKETS WILL BE GONE!’ This further works on your FOMO buttons; don’t fall for it, don’t click on any links or attachments, and don’t reply with any personal information.
There’s some simple advice here, too, which applies for ANY email you suspect of being a phishing attempt: If in doubt, check it out. Go to the company website (by typing it into your browser, NOT via links in the email) and call or email them on a phone number or email address you know to be real.
And if you’re in charge of other people accessing the internet using company computers, consider training and education core components of your phishing prevention strategy, combined with simulated phishing attempts which show who in your organization is ‘phish-prone’, so they can benefit from targeted support. Sure, firewalls and other technological measures keep some or even most spam at bay. But phishers are sophisticated, they know what the defenses are and they constantly adjust and amend their attacks to get past these measures.Â
Stick to Authorized Channels
While it’s FIFA today, it’s the World Series tomorrow. There are bad guys out there, and they will take advantage of every major event. If the FOMO is strong – and we’ll be the first to admit it is – get your tickets or any other goods, whether sporting or otherwise, through legitimate channels. The final bit of social engineering at play in this scam, and many like it, is our propensity to think we’re being ripped off and that we can cut a better deal.
Phishers exploit this mindset, leaving you with no deal and, often, a big hole where your wallet once was.
So, remember. Don’t click on any links or attachments unless you are absolutely sure they are safe. Always keep your antivirus and anti-malware software up to date. And when your AV says ‘This link is potentially dangerous’, or ‘Don’t open this attachment because it is suspicious’ (or words to that effect), heed the warning. Ask your system administrator or other knowledgeable person if you really, really want to open the link or attachment (chances are they will investigate and remediate it, removing it from company mailboxes quickly).Â
Taking these precautions can help ensure that you do not fall victim to a phishing attack during the World Cup. Or, for that matter, at any other time.
Are you taking specific precautions to protect against scammers during global times of celebration? Share how they’ve helped you on  FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .
Image Source: Shutterstock