Is there no length to which a scammer will not go to exploit innocent consumers? Apparently not.
New research by cybersecurity company Perception Point revealed a sophisticated phishing attack exploiting the trust users place in live chat support on sites like Etsy, Behance, Upwork, and Reverb – sites that, until now, have basically been scam-free.
Pretending to be a representative of these sites, these hackers are targeting business owners and people who are doing their little side hustles selling things, attempting to claim payment for goods or services the site had provided.
The set-up is to lure them into clicking on a “verify” button to claim their payment. Once clicked, however, victims are prompted to enter their credit card details on a spoofed site page, all the while chatting with what seemed to be real, trustworthy support agents.
Researchers at Perception Point told ConsumerAffairs that what sets this phishing campaign apart is the use of real-time human responses instead of scripted, artificial intelligence-driven chatbots. “This human element in phishing attacks adds a new layer of deception, making them increasingly harder to identify,” the researchers said.
Beware of the chat icon
Despite the initial phishing page dressed up like a fairly standard multi-stage phishing attack, the researchers were intrigued by a number of things — one being a chat box at the bottom.
And that button is where the anguish begins. Once a person clicks on it, a real life scammer begins their ruse, chatting in real time just like they might if someone were on Google’s support site chat.
When the researchers engaged with the chat, they were sent a link in the chat, told to click on it, and enter their bank details. And that’s where everything goes south.
How to stay safe
Live chat has become a preferred method for customer service. However, it also opens the door for cybercriminals to launch phishing attacks. Motti Elloul, vice president of Incident Response at Perception Point, told ConsumerAffairs here’s how you can protect yourself:
- Verify authenticity: Always confirm that the live chat representative is from a legitimate source. Look for signs like verified badges or initiate the chat through the official website.
- Avoid sharing sensitive information: Never share personal or financial details over live chat. Legitimate companies will not ask for such information through this channel.
- Look for red flags: Be wary of urgent language, unsolicited requests, and grammatical errors. These are common indicators of phishing attempts.
- Use security tools: Employ security software that can detect and block phishing attempts. This adds an extra layer of protection against potential threats.
- Educate yourself: Stay informed about the latest phishing tactics. Awareness is your first line of defense.
- Watch the links: If you see a hyperlink that might be suspicious, always proceed with caution. If you have any doubts, do not click.
This article first appeared in ConsumerAffairs, written by Gary Guthrie on July 15, 2024.