Phishing, smishing

TL:DR – Phishing is a form of social engineering where attackers deceive people into revealing sensitive information or installing malware on their computer or other device via a phishing link in an email or on a website. Smishing is the text message equivalent of email phishing.


I justr received an email from a reliable and trusted contact to notify me of an alert they received from a third party pointing out that phishing attacks are on the rise. The trouble is, the email they sent with a copy of the original alert is full of links offering advice on how to stay secure and specifically how to avoid being phished…

In case you don’t already know, phishing is a scam (smishing is SMS phishing) whereby a malicious third-party hooks you in and gets you to click a link in an email that inevitably leads to the installation of malware on your device or tricks you into entering private and/or personal data on a remote website, often disguised as your bank or an e-commerce site.

The bottom line is you should NEVER click a link in an email or indeed any other kind of message you receive regardless of what it suggests that you do.

If you must visit a site mentioned in such a missive, because you think it really is legitimate, then have a look at the source of the message you received to see if the link really goes to the website of the trusted source or if it’s a decoy for a malware site. You could also then copy the actual link into an online malware scanner, such as VirusTotal, to double-check that it’s safe. Do that in an incognito tab in your browser and make sure you’re not logged into any sites in that browser window when you do.

Also, watch out for phishing hooks in your online calendar on dodgy websites and also watch out for websites that seem redirect to somewhere unexpected they may have been page hijacked.

But, there is another kind of scam that doesn’t involve links, indeed there is a type of attack that doesn’t even use bait. These are called no-hook phishing attacks. They’re more about social engineering (a confidence trick) rather than a technical attack.

Some of these emails are not aiming to scam you, but to legitimise an email address so that it can defeat spam filters and be used later for more conventional phishing attacks once the email systems perceive it as safe.

Anyway, back to the phish with no hooks. First, you receive an unexpected message on your device from someone you don’t know about something with which you’re not involved. You respond to let the correspondent know that you’re not actually the intended recipient, they reply with an apology and perhaps some other comment that then requires a further reply from you out of politeness. This is where it gets weird. The person you don’t know who accidentally contacted you is drawing you into a conversation, and you feel obliged to keep replying.

There is evidence that this kind of no-hook phishing attack can last for weeks before the payload is delivered. The scammer, having gained some degree of trust through the ongoing friendly conversation suggests you check out a website…or maybe even just suggests that you might like to know about an investment scheme through which they themselves have made a lot of money. It’s not genuine, it’s not banter, you’re being conned.

The bottom line should be don’t reply to their initial message out of politeness and you will never be sucked into the con trick. If you do happen to respond, remember the golden rule and don’t let your guard down: do not click any links in a message ever.

But, if no link ever arrives, be even more cautious when your new best friend pipes up with unsolicited investment advice or some other such nonsense.

Davey Winder discussed all of this in more detail in IT Pro here.