Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. Phishing is a daily threat to both corporate and personal security.

It's not uncommon at work to receive a targeted phishing attack. Targeted phishing, also known as spear-phishing, is primarily where the hacker spends some time researching the business, or you personally, for a target and a plan of attack. This maybe impersonating someone else in the business or a client.

Recently, however, I've seen home users being targeted in this way more than ever before.

An example of this is an email that I received recently at around 5am. It was a password reset request from my mobile provider (referred to from hereon as MYMOBILECOMPANY). Not the first time I've seen this without me clicking the “forgot password” box, but it is the first time that was not the end of the targeting.

How did they know what mobile provider I use?

Here is how

If I visit the MYMOBILECOMPANY website and click the forgot password button.

I enter my actual mobile number and I get a message stating “we’ve sent a link to your registered email.”

Now, if I input a number of mine not related to MYMOBILECOMPANY, I receive an error message, a “whoops something went wrong” error.

So now the hacker knows that I am a customer of MYMOBILECOMPANY.

This issue is more common than cyber security specialists would like, even your penetration test should flag this as a risk and I always wonder why companies allow feedback of forms we complete to tell the user, or even worse a hacker, if that number or email is valid.

‘Great’ the hacker thinks at this stage ‘I know he is an MYMOBILECOMPANY customer’.

Next the text message (SMS) comes through. It looks legitimate, as I don't know what a message from my MYMOBILECOMPANY looks like, so it could be the same.

It was as follows:

Your MYMOBILECOMPANY account is at risk to avoid service restrictions please confirm your details: bit.do/****

So, ‘why am I being targeted’ I ask myself. Well I don't know in this case, but I do know that companies could help reduce that risk by not giving hackers useful feedback about if I have an account with them or not!

The right response is, when I complete the forgot password form and press enter, the response should be the same whether the user exists or not. For example, if you do have an account you receive an email. That way the hacker will be unaware whether someone has an account with that provider and, therefore, is unable to target victims as effectively.

The conclusion

Ideally, a website should never confirm or deny the existence of an account with a given email or username. From a user’s perspective, if you see a reset password link that you have not been expecting, then there is a chance something sinister is happening so be on guard.

If you are unsure of anything you receive, call your provider on the number on the main website not a number on an SMS or email you have been sent, as this could be fake, and ask your provider if they have made contact.

Ensure you alert and educate colleagues, friends and family of this kind of cyber-criminal activity to help to make them aware and be on guard, should they receive similar approaches to this.

If you’d like to speak to us about any aspect of your cyber security, please get in touch.