The term Phishing refers to a type of fraudulent email, text message, phone call, or website designed to trick users into sharing or revealing sensitive personal information such as credit card info, passwords, bank account numbers, login credentials, etc. Scammers “fish” information from users, using “ph” in place of the “f” as some of the earliest hackers were known as phreaks, where phreaking refers to the exploration, experimenting, and study of telecommunication systems. 

 

 

Source: CNBC

Common phishing call-to-actions 

Scammers usually send emails, text messages, or make phone calls to prompt users to perform specific tasks, such as:

• Click or download content
  You may be asked to click on links or download attachments to download malware.

• Provide sensitive information
  You may be asked to share sensitive information, including but not limited to phone calls, emails, Telegram, or SMS. 

• Authorize a payment
  You may be asked to give the authorization to execute a transaction or any other given action, maybe under time pressure or threat.

• Purchase something on behalf of someone else
  Your boss is suddenly asking you to purchase gift cards for her/him by clicking on a given link or providing the credit card number.

• Use a USB sticks of unknown origin
  Sometimes phishing attacks come from USB sticks found in public places that may contain malware.

• Any other action to provide personal information
  Any other actions that expose yourself or your personal information. 

Common channels and platforms used for phishing*

• Email

• SMS

• Phone calls 

• Social media, e.g., Twitter, Facebook, etc.

• Community platforms, e.g., Telegram, Discord, etc.

• AI deep fake voice or video 

 

* including but not limited to

Common red flags 

• Suspicious links
  The message contains a link or an attachment that has a weird name, or perhaps you don’t trust the sender.
  
  Solution
  1) Do not click
  2) Hover over the link to visualize it without clicking
  3) You can verify whether it contains malware or any other harmful software by using Google Transparency Report (or any other reliable third-party tool) to copy and paste the link into the URL bar and run the report. When copying and pasting the link, be careful to not click on it. 4) Make sure the website is an “https” address. Read more here.

 

• Sense of urgency/threats
  “Urgent”, “Last call”, or “Final Notice”: this is a red flag as the scammer may not want you to verify the legitimacy of the request. Also, scammers may purposefully try to make you panic or feel under stress to exploit your emotional state.
  
  Solution
  Try to calm down and think rationally: is the request reasonable? Why is it that urgent? Can you ask someone else around you before you take action? 

 

• First-time senders
  Never seen that email address before but they are asking for something? You should investigate further. Oftentimes, requests may come at a later stage, i.e., after a few emails as more trust with the stranger is built.
  
  Solution
  1) Use Google or other websites such as hunter.io to verify whether the email server at issue belongs to a given company. For example, if you receive an email from an alleged Amber Group employee such as john.doe@ambergroup.com, be sure it is not us since we would be john.doe@ambergroup.io.
  2) Always make sure that more than relevant persons have been informed and that you don’t act on your own.
  
  

• Spelling mistakes
  If the grammar is bumpy and the text is sloppy and if it feels like it was written in a hurry but you don’t know the sender, then be cautious – it may be a phishing attempt.
  
  Solution
  Ask and inquire further, or simply ignore the email if you are sure it is not relevant to you. 

 

• Appealing to your emotions
  Scammers may be aware of your own emotional vulnerabilities and may try to exploit them to get you to open up and share personal information.
  
  Solution
  When it comes to sensitive information and data, or sending money to non-trusted accounts, you should try not to let emotions get in the way. Ask more questions and ask yourself whether you would do the same if you didn’t feel that way, e.g., guilty, worried, sympathetic towards a stranger. 

 

• General greetings
  It is sent to your personal email address or phone number, but the sender did not address you personally
  
  Solution
  Inquire further. Who is the sender, what are they requesting, and does the email look suspicious? Inquire further by asking around and probing the suspicious scammer
  
  

Conclusion

Phishing attacks often exploit social engineering techniques to articulate requests in a way that sounds more natural and less suspicious. To sum it all up, when you receive suspicious requests, make sure you check the followings:

• WHO: Is it a stranger, an acquaintance, or a close friend? This can help you narrow down the elements to analyze to discern a threat from a regular request. 

• WHAT: What are they asking for? Is it suspicious or illegal? Transferring money is usually the end goal, but phishing attackers may need just a password or a code to be able to siphon money off your account. 

• WHY: Why is it urgent? Most of the time, scammers are leveraging the sense of urgency or threat to force you to act against your interest. 

• HOW: Are you calm and rational? Check-in with how you are feeling. If you feel anxious, try to calm down and try to avoid rushing decisions.

• VERIFY: Verify the request. Never follow up on the request on our own – ask a relevant person with knowledge of the matter, check via phone or on Telegram, and follow protocols if in place. 

• ACT: Take screenshots of the conversation with the scammer, of the SMS or emails received, and if possible record the phone conversations you may have or record the incoming call record. In order to take legal action, evidence will be needed. 

 

Should you have doubts or have experienced any phishing attempt by an alleged Amber employee, please do not hesitate to report it to us via email at info@ambergroup.io or by contacting your Relationship Manager.