Students' Take: Phishing for thoughts
By Ting Joe Li Zhou, Huang Yuxuan and Chang Si Yuan (Class of 2025), in collaboration with the NTU Centre for IT Services
With so much of our lives going online over the past year, digital health has become ever more crucial. Our reality has turned from one that used to exist mostly in a physical world to one that now increasingly exists in a virtual dimension.
While there are many benefits, such as being able to work remotely from the comfort of our homes, this has undoubtedly opened a whole new avenue for malicious internet users to exploit, which has inevitably impacted the lives of many other responsible users.
“Phishing” was first coined in the 1990s by hackers stealing America Online accounts and passwords. Using the analogy of the sport of angling, these Internet scammers were placing e-mail lures, setting out hooks to "fish" for passwords and financial data from the "sea" of Internet users.
Today, phishing can be simply the act of using a “front” or “cover” to disguise a malicious looking email or social media post as something seemingly innocent, all for baiting users into giving up their personal information to malicious online individuals who would then abuse such information. In other words, phishing can be seen as ‘identity theft’, whereby scammers who obtain the personal particulars of a vulnerable individual would then attempt to use this personal information in a fraudulent or illegal manner.
Besides emails and social media posts, phishing could also be in the form of a phone call from an unknown caller that may identify as a financial institution, or even a SMS from an unknown number claiming to be one of the ministries. All these present as potential areas that scammers can target and exploit to their advantage to lure people into giving up their personal information out of fear or uncertainty.
What makes phishing so believable? Scammers take the time to craft convincing messages that manipulate our emotions and our unconscious biases. In Daniel Kahneman’s Thinking, Fast and Slow, he proposed that humans have two systems of thinking. System 1 is fast and intuitive, often relying on emotions and heuristics to make snap decisions. System 2, on the other hand, is slow and methodical.
With information constantly being presented to users, System 1 is favoured because it uses mental shortcuts to help navigate through inefficiencies. But this also leaves us vulnerable to emotional tactics used in phishing scams to make quick, but fatally wrong decisions. For example, an email that appears to be from a government agency harnesses our willingness to take instructions from the higher authority. This is further exacerbated by the lack of awareness of such scams.
The handbook for phishing scams has grown exponentially since its beginnings. Some of the tactics used in the toolbox include:
- Email phishing
- SMS phishing (or smishing)
- Voice phishing (or vishing)
Vishing, in particular, has become more common in Singapore. The scammer can place multiple robocalls (usually in the thousands) using voice over Internet protocol (IP) technology. Scammers use wardialing to automatically scan a list of telephone numbers and dial those found in the same local area code.
During the COVID-19 outbreak, some scammers capitalised on Singaporean’s fears by inserting vaccines and vaccination drives into their false narratives. Robocalls made to callers posed as Ministry of Health officers falsely claiming to offer registration for vaccination. Victims are lulled into a sense of security when given a case reference number or introduced to actual medical terms such as Remdesivir.
In a post on scamalert.sg, a website run by the National Crime Prevention Council, a user was informed that “he might have been exposed to COVID, but the authorities have tried to contact him twice and failed”. He was then instructed to press “3” for someone to provide an explanation. Recalling that such notifications would be done by SMS, the user ended the call and waited for another 10 minutes before calling back. Unsurprisingly, the number was invalid. Such attacks not only exploit the emotional vulnerabilities of those who are afraid of catching the virus, but also sow greater distrust for any efforts of outreach, even when they come from a legitimate agency or source.
In the second quarter of 2021, scammers under the name of Capital Finance Inc. London notified users that they were “winners of a USD1 million lottery compensation prize payment” which was advertised under the banner of the World Health Organization (WHO) with the International Monetary Fund (IMF) and the Bill & Melinda Gates Foundation. WHO has since made a public warning on its website, but there is no doubt many have fallen prey to this scheme. Phishing scams are thus not just domestic, but international as well.
Although phishing scams can come in all forms and be very varied, the underlying mechanism and modus operandi are always the same: to bait unsuspecting individuals into divulging their personal information to an unknown malicious third party who may be presenting as a legitimate organisation. Here are some tips to prevent us from becoming victims of phishing scams.
- Be on the lookout for advisories from the Singapore Police Force (SPF) which are issued when a new variant of phishing scam is identified to keep the public informed and vigilant. Visit their website for more information and advisories on phishing scams in Singapore.
- Set up ScamShield at https://www.scamshield.org.sg. This prevents susceptible individuals from receiving such calls from scammers and reduces the frequency of encountering scammers.
- Adopt good cybersecurity practices in daily life as shared by the Cyber Security Agency in their “Better Cyber Safe than Sorry” campaign on their website. These include:
- Using a strong password and enabling two-factor authentication (2FA): Should our personal information be compromised at any time, scammers would not be able to utilise the information as there is still a layer of password protection to safeguard us.
- Spotting signs of phishing: This includes calls and emails from dubious sources who claim to be from governmental or legitimate organisations.
- Using an anti-virus software and updating software promptly.
To tackle the issue of phishing scams, the NTU Centre for IT Services (CITS) hosted an online 2021 Cybersecurity Day on 21 October with the theme "Building Cyber Immunity". Industry experts were invited to speak about the cybersecurity hazards Singaporeans face every day and what people can do to protect themselves.
Superintendent Michelle Foo, head of the SPF Anti-Scam Investigation Branch delineated the epidemiology of scams over the past year and how they were the largest contributor to growing crime numbers. Her presentation dissected the modus operandi of how scammers cheat victims online and the various ways the public could protect themselves.
A panel discussion between Mr Christopher Lek from NTU CITS, Mr Hoo Chuan Wei from ST Engineering and Mr Cecil Su from BDO Singapore also went into the details of how larger organisations approach information security. They discussed the idea of conducting "red team" exercises where data security officers intentionally send suspicious phishing emails to staff to test their vigilance and develop a level of "cyber immunity". A consistent theme throughout Cybersecurity Day was the focus on equipping people with the right habits and tools to stay safe online.
For example, SPF's Scamshield app compares an incoming call against a list maintained by the SPF to determine if the number has been used for illegal purposes and automatically filters suspicious incoming phone calls and SMS messages. The app is available for download on the iOS app store, with the Android edition coming soon.
NTU CITS also partnered with Trend Micro to launch a free "Trend Micro Maximum Security" subscription, which is available (at time of writing) for all NTU students and faculty for up to five devices including laptops and phones. Anti-virus software ensures that our devices are kept up to date with security patches and fixes which help to automatically filter out suspicious calls and emails, reducing our exposure to high-risk situations and keeping us safe from phishing scammers.
More resources are available below:
- "Invisible attacks" e-book (a collaboration between LKCMedicine and CITS)
- NTU-Trend Micro Complimentary License
- SPF Scamalert Website
- SPF Scamshield Website
- SPF Anti-Scam Hotline: 1800 722 6688
Let us all play our part in fighting phishing scams and educating others on how we can prevent ourselves from falling victims to one of these perpetrators. Together, we can build a stronger, more vigilant and safer community for everyone to live in.
Ting Joe Li Zhou, Huang Yuxuan and Chang Si Yuan serve on the Publicity and Publications Committee of the 9th LKCMedicine Students’ Medical Society.