What comes to your mind when I say pop-up? I am sure you have experienced a pop-up! Have you ever downloaded an application from the App Store? So, what happens? A pop-up appears asking for approval for the download. How about adding extensions to your browser, downloading a file, or installing an update? All of these create a “pop-up” for approval. Here in part 4 of “An Understandable Guide to the World of Phishing,” I want to take time to look at “pop-up phishing.”
Working in IT, we use pop-ups to help you with computer problems or to send a message to you saying, “Restart your machine due to updates.” You may see a pop-up appear when you shop online to remind you “you left items in the cart.” While these are all helpful pop-ups, unfortunately, this is not always the case. Let us investigate what pop-up phishing is, a couple of the common scenarios, and what you can do to help yourself from becoming a victim of this form of phishing.
What is “Pop-up Phishing”
Pop-up phishing involves fake messages that “pop up” when surfing the web, whether you are playing games, watching videos, or scrolling your favorite social media account. Oftentimes threat actors “infect” legitimate websites or applications with malicious code (program instructions) that causes these pop-up messages to appear when you visit them.
The threat actor uses social engineering to alarm you by presenting URGENT matters! To “trick” you into clicking the pop-up to steal your personal/financial information or to download malicious files to gain control of the device. Now that we know pop-up phishing is a social engineering attack that happens while surfing the web. This means that the threat actor uses your emotions to get you to react. Let us look at a couple of the common scenarios used by threat actors to “phish” their way into your accounts and devices.
Fake Security Warning “pop-ups”
Some of the fake warnings can look like the real thing, it’s often about the security of your device. A pop up will appear to make you think you have Trojans (a malicious file disguised as a legitimate program, like a video update), malware, or other “bad files” that need to be “cleaned.” Like the “ransomware detected” pop-up, which tells you “Security Threat” on your device.
Most times the threat actors prompt you to download a “necessary tool” to “fix the problem!” Such as an antivirus application or “cleaner” to remove the “dangerous files.” The pop up provides you with a button to download the antivirus or cleaner. You hit the button, and it downloads the application, it shows that it has “cleaned” all the bad files but turns out the application your downloaded is malware.
Fake Tech Support “pop-ups”
This tactic seems to have become more common recently: threat actors contact you via a pop-up, by fake “tech support” from Microsoft or the FBI, to fix a fabricated issue or technical problem with your device. They provide you with a fake phone number for “support.” Support then instructs you to download a file so they can help you “fix” the problem. The downloaded file just allowed the threat actor to gain access and control of your device. Think about the information stored on your computer or phone! Do you want it in the hands of a threat actor?
Lookout for fake pop-ups that appear in your browser window, trying to trick you into clicking on them. These pop-ups are not coming from your computer but from a malicious file that has integrated itself into your browser and displays images that look like pop-ups. If you click on them, you may download more malware, give away your personal information or even pay money for fake services!
Now, let us look at what you can do to help prevent becoming a victim of pop-up phishing.
Prevent Pop-Up Phishing
A pop-up itself is harmless, what you do with the pop up is what matters! If you receive a pop-up message, do not click on it, or enter any personal information! Try closing the pop up with the ESC (escape key) if that does not work, close the window by clicking on the “X” button in the top right corner of the “pop-up” window.
Watch out for download pop-ups! If you are receiving a pop-up because you clicked a link to download, make sure the file or application can be trusted! Where did you get the download, official site? A third-party app store? Why are you downloading it? Is it from a message that someone sent you via email, text message or private message? In the event it is the latter, be on guard and extremely cautious especially in social applications like Facebook and X (Twitter)!
Avoid questionable websites and look for grammar, punctuation, and spelling mistakes in pop-ups. Keep your computer and applications up to date.
In conclusion
The threat actor uses social engineering to alarm and “trick” you into clicking pop-ups to steal your personal/financial information or to download malicious files to your device used to gather information. Fake Security and fake support are only a couple of the scenarios used to entice you into clicking on the pop-up and, most times, downloading malicious files designed to steal information or gain control over your device.
While the pop up itself is harmless interacting with the pop up could prove harmful. Avoid clicking on pop ups attempt to close the window using the ESC key. If unsuccessful then close the windows with the “X” in the upper right corner of the window. Never enter any personal information into a pop up that just “appears” and always consider the source of any download.
Have you become a victim to pop-up phishing? We can help you! Contact Us – Blue Sky Services Online
Want to learn more about phishing? Check out the other blogs in this series!