By Esteban Camargo, published in CUSO Magazine
We are wrapping up another Cybersecurity Month here at CUSO Magazine. We have learned about the rise of AI scams, RFID skimming, got a refresher on password hygiene, and were reminded how important board literacy training is for credit union cyber health.
As we close out the month, it’s time to talk about another attack vector bad actors use to confuse and exploit members and staff alike: website spoofing.
What is website spoofing?
Spoofing is the act of cleverly disguising fraudulent websites as trusted ones. Regardless of how the faked website is sent to members and staff—and we’ll get to the specifics shortly—the important idea here is that the URL of a fraudulent website is made to look like something you know and recognize. Sometimes this is done by doing something as simple as replacing an ‘m’ with ‘rn’ (e.g. cusornag.com instead of cusomag.com). Sometimes an extra letter is inserted where it might not be noticed by the reader. Depending on the font used, it might be glaringly obvious (if you’re looking for it), but sometimes it’s disguised so cleverly by the font, it’s nearly impossible to tell.
Getting an unsuspecting target to click on a bad link is only step one for scammers. Maybe the site the user is directed to delivers a nasty payload to that person’s device. Another option though is that the individual is presented with a very convincing replica of the site they thought they were visiting. From there maybe they’re presented with a “confidential” web form asking for sensitive information the bad actor can use to access accounts, take over emails or phones, and in general wreak havoc. Either way, avoiding these websites is the first and most important countermeasure.
How are these spoofed sites presented?
Spoofed sites are delivered in a variety of ways using a variety of methods to convince you to click. Chances are you have received a text saying you owe money for this or that. Sometimes it’s a package that can’t be delivered and they need new information (despite the fact that you weren’t expecting anything). Whatever it is, text scams rely on you clicking on a link that has either been spoofed to look like something you know or is designed to look like something that might be legitimate.