Ever received some kind of offer via email? Probably. How about this: have you ever been asked to fill out an application form online? This is also very likely. Then, has the former ever led to the latter? Not very far-fetched either: there’s most likely even a whole section in your browser’s settings dedicated to ‘autofill’ so you can fill out these forms faster. Filling out forms with personal info seems like a perfectly ordinary event. Unfortunately, wherever there are emails, there are malicious actors, too.
An email arrives in your inbox. Someone has selected you in particular for the opportunity of, say, being included in a ‘Top 50-Under-50 of the Greatest Cybersecurity Professionals’ list in their publication (spoiler alert: or so they claim). Inclusion is easy… they say you only need to fill an application form with your personal information. Since it doesn't require much from you, you might as well get your name and achievements out there, right? The form looks innocuous and professional, and it seems like you are just giving out your information and not committing to anything huge.
Let’s be totally honest here: it feels super nice when you’re asked to participate in something, or made to feel wanted. It helps you forget any lingering feelings from being picked last for the school's dodgeball team. There's a catch, though: hackers are preying on this exact insecurity. What you are doing is inviting these scammers to steal your personal information and creating a great pretext for requesting more data and payments.
When you filled out that form, you participated in what is called sensitive information gathering. This means that you’ve given a hacker a way to collect your personal, business, and classified data, which can of course harm you if that data was put towards unauthorized use. It is often disguised with seemingly legitimate and harmless purposes, or opportunities that you would likely not want to miss. Though the data you provide is not always sensitive, harvesting personally identifiable information (PII) is common practice for hackers and other malicious actors. For example, anyone probing for your name, contact details, postal address, social security information, or bank account numbers would fall under PII gathering. This data can be used in further phishing as the attackers now have you and how to reach you on their potential victim list. It can also bring profits by itself — an attack where your PII is taken can quickly escalate to account breaches, impersonation, and your data being sold.
Forming the attack
Being presented with a great opportunity brings forth feelings. The other thing that it does is make you less objective. It lets down your guard.
Checking the mail more carefully no loaded call to action, such as making a payment, is necessarily found; you just have to sign up for further information. Well, what’s the harm, right? Might as well leave my details, this could be a great chance for me after all. After clicking the submit button, being approached with more detailed questions and deposit requirements, or alternatively, getting no response at all might not even prompt suspicion until it is too late. What is more, the very same information is widely collected for more legitimate purposes making these scams harder to catch. The same questions would be asked when signing up for updates about an event or a wait list.
Let’s take a look at a couple of recent examples of PII harvesting we’ve found:
The style of the email and its landing page is very much in line with that of an actual film company. The address the mail is sent from, however, is completely unrelated. According to this phish there is a great investment opportunity and you are personally invited to join… this could very well be your ticket to being a Hollywood mogul! It looks convincing and introduces multiple temptation points: tax reliefs, shares, fame, and a nice, health profit from a supposedly great company. Investing has become mainstream and is a relevant topic, so this email might seem like an easy way to try your hand at it. If you’re interested in the exclusive offer, you’ll find that all the links leads to the exact same unsecure page hosted on yet another domain that presents you with an application form. You’re promised more information only if you sign up or give more details. And once you do actually register, you are greeted with a misspelling. (Editor’s note: Oddly enough, simple grammar and misspelling errors are telltale signs you’re being messed around with)
Here, the threshold of people falling victim has been cleverly lowered by not requiring any money to be sent (yet) and not making the recipient feel like they have to make an immediate binding decision. Simultaneously, curiosity is being raised.
This is why application forms might seem harmless, but they often aren’t.
Staying off the hook
- When unsure, make sure. If you are truly interested, you can look up the legitimate channels of the claimed sender and reach out through them. Remember to tread carefully with search engines, too.
- Always scrutinize domains. Can you tell if the email is sent from correct address? If you wish to click, hover over the link first. Does everything check out when landing on the web page? You may be redirected after a click.
- Were you expecting this? Even though it might feel like belittling oneself, think carefully would you truly be considered for the opportunity. Does it make sense, where could they have discovered you?
- Are you asked to disclose PII? Think thrice. Inquiring sensitive information is very often done maliciously. Profiting from obtained PII is easy for an attacker. Are all the specified pieces of information even necessary in the first place?
- Can’t tell? Tell us by pressing the Hoxhunt button.
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt