IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

The rising tide of no-hook phishing

Not all phishing attacks rely on links or attachments, which means you’ll have to be extra careful

Phishing has always been a problem facing businesses and employees, but the number of no-hook phishing messages arriving via SMS or WhatsApp has gone ballistic of late. Now, your immediate response to this will probably be to ask what a no-hook phishing message is, exactly. Arguably a subsection of smishing attacks, these can seem very similar to conventional phishing efforts but operate in a different way. 

First, think about how most phishing lures work. You get a message  – the platform it’s delivered on is for the most part irrelevant – that appears to be from a trusted source. This could be your bank, a business you have dealings with, a brand you recognise offering you a deal of some kind, or even just someone you know. That is the lure; the hook is the link you are asked to click on or the number you should call.

No-hook phishing throws away this ‘con-artist 101’ rule book and uses a script that’s been around for the longest time. I can recall these things from 20 years ago but they’ve recently made a comeback. Not only is there no hook by way of a link, but the lure isn’t from a trusted source. Quite the opposite, in fact. 

How to spot a no-hook phishing attack

A no-hook phishing attempt starts when you get a message, with SMS appearing to be the most common platform for reasons that will become obvious soon enough, from a complete stranger asking you something quite random. I will raise my hands right now and say that, for whatever reason, I have yet to get one of these on any messaging platform I use regularly. I can, however, give you some examples of the conversational tactic used, courtesy of people who have shared them online. 

Sender: Hi Jenny, are you free on Saturday for dinner, like we spoke about?

Recipient: Sorry, I think you have the wrong number.

Sender: Is this not Jenny?

Recipient: No, sorry.

Sender: I’m really sorry, I must have dialled the wrong number.

Recipient: No problem.

Sender: You seem nice, my name is Karen, what’s yours? 

The conversation continues as long as replies are sent. I have seen some examples that use exactly the same phrasing and responses that ignore the reply given and continue in a template fashion. These are almost certainly bot-driven. One phrase that crops up time and time again is “Thank you, you are a kind and polite person”, with another being the opener: “My name is xxxxx. Your number appears in my address book, do we know each other?” 

What do no-hook phishing operators hope to gain?

Without any link or obvious attempt to extract anything but basic info, there are various explanations as to what the no-hook actor gains from the exchange. One that certainly has an air of probability about it is that they are being used to establish a series of seemingly genuine conversations with real people across a range of random phone numbers. This then provides the spammer/scammer with a cloak of legitimacy that helps bypass network carrier spam protection filtering that might otherwise kick in. However, that doesn’t necessarily mean that all these messages fall into that category.

There’s a fascinating analysis of the phenomena on Substack by Max Read that comes to a different conclusion: a take on classic romance scams but with an ultimate crypto deposit twist. According to Max, who refers to these no-hook messages as “pig-butchering scams”, he has researched various examples and, although they have the feel of a meet-cute, more often than not they “rely on cultivating a trusting friendship that culminates with a little bit of friendly investing advice”.

Related Resource

The long road ahead to ransomware preparedness

Getting to the bigger truth

Whitepaper cover with title and image of road with speeding light graphicsFree Download

There’s a really good example of this on the Reddit r/Scams forum from last year. This one played out on WhatsApp and started with a random question that led to a casual chat. This, in turn, led to the caller giving her private WhatsApp details rather than the initial one, which was a business account. The chats continued, on a daily basis, for three weeks. This led to a conversation about investing, which eventually raised red flags with the would-be victim.

Our advice is to use your common sense and simply not engage at all. This shouldn’t be too difficult. After all, they’ve admitted they don’t know you from Adam or Eve from the outset. Inaction is the vaccine that kills off these no-hook scams. It’s not rude to blank someone who’s telling you they’ll be late for a meeting you don’t have with a person you don’t know, or starts the conversation with “who are you?”, is it? Inaction also means that the caller can’t verify your number or address is a live one, which could mean less spam, and a scam list you won’t be on. Assuming, that is, you value your privacy lots and your security more.

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation
cyber crime

Interpol arrests nearly 1,000 cyber criminals in months-long anti-fraud operation

25 Nov 2022