The rising tide of no-hook phishing
Not all phishing attacks rely on links or attachments, which means you’ll have to be extra careful
Phishing has always been a problem facing businesses and employees, but the number of no-hook phishing messages arriving via SMS or WhatsApp has gone ballistic of late. Now, your immediate response to this will probably be to ask what a no-hook phishing message is, exactly. Arguably a subsection of smishing attacks, these can seem very similar to conventional phishing efforts but operate in a different way.
First, think about how most phishing lures work. You get a message – the platform it’s delivered on is for the most part irrelevant – that appears to be from a trusted source. This could be your bank, a business you have dealings with, a brand you recognise offering you a deal of some kind, or even just someone you know. That is the lure; the hook is the link you are asked to click on or the number you should call.
No-hook phishing throws away this ‘con-artist 101’ rule book and uses a script that’s been around for the longest time. I can recall these things from 20 years ago but they’ve recently made a comeback. Not only is there no hook by way of a link, but the lure isn’t from a trusted source. Quite the opposite, in fact.
How to spot a no-hook phishing attack
A no-hook phishing attempt starts when you get a message, with SMS appearing to be the most common platform for reasons that will become obvious soon enough, from a complete stranger asking you something quite random. I will raise my hands right now and say that, for whatever reason, I have yet to get one of these on any messaging platform I use regularly. I can, however, give you some examples of the conversational tactic used, courtesy of people who have shared them online.
Sender: Hi Jenny, are you free on Saturday for dinner, like we spoke about?
Recipient: Sorry, I think you have the wrong number.
Sender: Is this not Jenny?
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Recipient: No, sorry.
Sender: I’m really sorry, I must have dialled the wrong number.
Recipient: No problem.
Sender: You seem nice, my name is Karen, what’s yours?
The conversation continues as long as replies are sent. I have seen some examples that use exactly the same phrasing and responses that ignore the reply given and continue in a template fashion. These are almost certainly bot-driven. One phrase that crops up time and time again is “Thank you, you are a kind and polite person”, with another being the opener: “My name is xxxxx. Your number appears in my address book, do we know each other?”
What do no-hook phishing operators hope to gain?
Without any link or obvious attempt to extract anything but basic info, there are various explanations as to what the no-hook actor gains from the exchange. One that certainly has an air of probability about it is that they are being used to establish a series of seemingly genuine conversations with real people across a range of random phone numbers. This then provides the spammer/scammer with a cloak of legitimacy that helps bypass network carrier spam protection filtering that might otherwise kick in. However, that doesn’t necessarily mean that all these messages fall into that category.
There’s a fascinating analysis of the phenomena on Substack by Max Read that comes to a different conclusion: a take on classic romance scams but with an ultimate crypto deposit twist. According to Max, who refers to these no-hook messages as “pig-butchering scams”, he has researched various examples and, although they have the feel of a meet-cute, more often than not they “rely on cultivating a trusting friendship that culminates with a little bit of friendly investing advice”.
There’s a really good example of this on the Reddit r/Scams forum from last year. This one played out on WhatsApp and started with a random question that led to a casual chat. This, in turn, led to the caller giving her private WhatsApp details rather than the initial one, which was a business account. The chats continued, on a daily basis, for three weeks. This led to a conversation about investing, which eventually raised red flags with the would-be victim.
Our advice is to use your common sense and simply not engage at all. This shouldn’t be too difficult. After all, they’ve admitted they don’t know you from Adam or Eve from the outset. Inaction is the vaccine that kills off these no-hook scams. It’s not rude to blank someone who’s telling you they’ll be late for a meeting you don’t have with a person you don’t know, or starts the conversation with “who are you?”, is it? Inaction also means that the caller can’t verify your number or address is a live one, which could mean less spam, and a scam list you won’t be on. Assuming, that is, you value your privacy lots and your security more.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.