Retail Scam Evolution: Phishing 2.0, Smishing and More

It all started with an email from a “Nigerian Prince.” The email was riddled with misspelled words, unintelligible sentences and … wait, what’s this? If I just cash a check I'll be rewarded how much? Sign me up!
Retail Scam Evolution: Phishing 2.0, Smishing and More

Today's retail thief may not be the masked bandit of yesteryear's movies, but instead lurks online attempting to steal passwords, access and other information. (Photo: iStock)

It all started with an email from a “Nigerian Prince.” The email was riddled with misspelled words, unintelligible sentences and … wait, what’s this? If I just cash a check I'll be rewarded how much? Sign me up!

This early example of “phishing” is one with which most of us are familiar. Phishing is the solicitation of personal information, usually via email or by posing as legitimate, trustworthy websites or organizations. The culprits behind these scams, the criminal underground, attempt to obtain sensitive information from their victims, including user names, passwords, credit card details, social security numbers, dates of births and more, for malicious reasons.

Most phishing is typically carried out, initially anyway, by email spoofing or instant messaging that gives some urgent reason why the recipient of the scam needs to enter their personal information on a fake website that will look identical to a legitimate site with which the recipient is likely familiar. Of course, the web URL the scammers are attempting to lure you to is anything but legitimate.

Phishing communications may appear to be from a social media website, auction site, bank, retailer, online payment processor, your company’s IT administrator, or even — believe it or not — from your company’s CEO or CFO. Another serious threat is found in emails that contain links to websites infected with malware or ransomware.

Retail scams may involve websites designed to look like the real McCoy, when in fact they're phishing sites.

Now, you may be saying to yourself, “How could someone fall for a scam like this?” or even “I would never be fooled by a fake website.” But I'm here to tell you that even IT experts and those who work in the IT field everyday have fallen victim. You see, we’ve come a long way since the early days of Nigerian Princes, AOL and Netscape. In “phishing 2.0,” the spelling and grammar have significantly improved, as have the logos and graphics used to imitate legitimate businesses and websites.

What creates an even greater challenge in protecting ourselves and our companies from these scams is the fact that so many of us now put nearly everything about ourselves out in the public domain. Think about it, what do you post on social media: Your favorite sports teams, vacation spots and hobbies? How about your children’s names, the college you attended or those Happy Birthday messages you receive from all your Facebook friends? Do you think any of that information is connected to your passwords or the answers to those “secret” account-access questions?

The newest phishing attacks use targeted messages with information gleaned from social media and other publicly available resources. To add insult to injury, two new techniques have now emerged, and their use has both grown dramatically and is proving to be a significant threat. These new techniques have been aptly named “angler phishing" and “smishing.”

Social media is a great way for people to contact companies about products or services. But cybercriminals have found this to be a useful means to gain your trust and make you feel safe about sharing sensitive personal information as well. Enter angler phishing.

Accomplished through, you guessed it, social media platforms, cybercriminals create fake brand support pages with the intent to solicit user interest or by mimicking a company’s legitimate customer support account. The criminals behind these pages use subtle modifications to domain names — for example, “App1e” versus “Apple.” Did you catch the lower-case “l” being replaced by the numeral “1” (one)? With certain fonts, the difference is indistinguishable. Angler phishers may also add words to domain names, such as “,” or “”

Another facet of angler phishing entails cybercriminals monitoring social media for people complaining about or asking for product or service support. Cybercriminals will impersonate the contacts for the business, such as bank managers or retailer customer service agents. They will then reach out and offer support, asking the victim for specific personal information and often providing a link to their fake website.

Once you’re hooked, you’re redirected to the phishing website. Victims have stated that these scams are so good that they were sure they were speaking with a genuine employee of the business from which they had sought help. How do you prevent getting hooked? Always go to the company’s known website first and follow the links there to customer support services. Likewise, a quick phone call to the legitimate business can do the trick.

Now let's talk about smishing, also known as SMS phishing. Smishing brings fake ads, contests and various offers to your mobile device or smartphone. Smishing is a security attack in which you’re tricked into downloading malware, a Trojan horse, a virus, etc., onto your cell phone or mobile device. The smaller screen, context-specific messages, barrage of alerts and the constant distraction inherent with smartphone use makes it significantly more likely that one of these messages or alerts will get your attention.

One of the common ways this scheme succeeds is by sending you an SMS message that states there’s a need for an urgent response with little to no reason being given. For example: “We’re contacting you about the promotional offer you signed up for with our dating service. To confirm, you'll be charged $1.50 a day unless you cancel your subscription. To cancel please visit,” Fearing a daily charge that will add up quickly, you visit the website. There you’re prompted to download a program, which will be malware that allows your mobile device to be accessed and controlled by the cybercriminals.

The best way to protect yourself from smishing scams is to delete any text message that you didn’t initiate or isn’t from someone you know. If it seems too good to be true, it usually is! Sorry, you’re not today’s lucky visitor, there isn’t a refund or rebate floating around out there in cyberspace, bank account suspension notices don't arrive via text message and, no, your Google ID hasn’t expired.

No one needs your user ID, password, social security number, or other account details via text or a Tweet. Be suspicious. And, for you as an FFL retailer, keep your company secure from these attacks as well. Educate your staff about these new scams, remain vigilant with your company’s email accounts, and be prepared to respond to a hack that potentially affects your customers. With a dedicated effort, your business records and sensitive information relating to you, your staff and your customers will remain secure.


Comments on this site are submitted by users and are not endorsed by nor do they reflect the views or opinions of COLE Publishing, Inc. Comments are moderated before being posted.