All Deceptions Are Not Equal – Bait-And-Switch Versus Phishing

Bait and Switch and Phishing are both deceptive. But, beyond that basic characteristic, they’re not the same.

In Bait and Switch, the deception is in the offer.

In Phishing, the deception is in the offeror.

Let’s get on with it.

Bait and Switch

Bait and Switch is a type of Dark Pattern in which “you set out to do one thing, but a different, undesirable thing happens instead.” (Source: Types of Dark Patterns)

The perpetrator of Bait and Switch can very well be genuine. For example, many reputed car dealerships regularly engage in Bait and Switch tactics.

One of the most common examples of bait and switch advertising appears in offers from car dealerships. For instance, the car dealership will typically run an ad that says they have a limited supply of a specific model of motor vehicle that they will sell at an unusually rare and low price. After a customer enters the dealership to ask about their offer, the dealership will claim something like, “all motor vehicles at that price point have been sold, but there are similar cars on the lot” (which will be high priced).

–  Bait and Switch Laws

As soon as the car salesman tells you that the car you came for is not available, you know you’ve been suckered. So it’s a no-brainer to figure out that you’ve been a victim of bait-and-switch.

But it’s hard to prove bait and switch. In the above example, it could be argued that the car dealer really had a limited quantity of the advertised cars, that it had indeed sold out of them when the customer walked in to the car dealership, and, therefore, did not engage in deception.

Phishing

In Phishing, a fraudster masquerades as a genuine business and extracts information from you that they then use to defraud you. The information is of the type that you’d readily share with the said genuine business but certainly not with a fraudster. Greed or fear is the go-to call to action of phishing attacks.

I get phishing emails purportedly from Hostgator warning me that my hosting account is compromised, click here to raise a ticket. Back in the day of Nigerian Prince, it was greed. Now it’s fear. Between the two, one of them works!

Here are some examples of phishing messages:

1. You are eligible for income tax refund. Click here to submit your bank account details to collect the refund.
2. Your hosting / email account has been hacked. Click here to block it.
3. Your account will be frozen because your KYC is incomplete. Click here to complete your KYC.

Phishing messages are typically circulated via email or SMS.

PSA: Income Tax Refund Phishing Attack in Ireland. https://t.co/QcLXQvVODe

— GTM360 (@GTM360) August 28, 2020

In the last example, you’ll receive an email purporting to be from your bank. The message will contain a link and tell you to click it to complete your KYC. When you click the link, you’ll be taken to a webpage that looks exactly like the login page of your bank. Thinking that you’re on your bank’s website, you’ll enter your username and password and hit the submit button.

Instead of seeing your account balance and other details that you’re accustomed to seeing on the splash screen of your online banking portal, you might see a message saying “Goodbye sucker” or something equally humiliating.

The fraudster then uses your credentials to log in to your bank account and siphon your bank balance.

One of the most widespread and enduring examples of phishing is the spate of attacks carried out on PayPal customers during the 20+ years of existence of the Fintech PSP.

Although merchants, banks and experts will wax eloquent about the number of ways to safeguard against phishing, they’re not always easy to execute. Take this common tactic for example: “Inspect the link carefully and avoid clicking on dodgy-looking URLs.”

This is easier said than done. Take the following URLs:

1. paypal.xyz.com
2. abc.paypal.com

Both URLs look like PayPal’s website but only one of them is. I’m not sure if the common man would be able to tell which one.

Question: Which URL is genuine?

Answer: The way URLs are structured, the name immediately preceding .com is the domain name. All other names are subdomains. The website owner can call them whatever she wants. Accordingly, URL #1 above is a subdomain deceptively titled paypal on a random website xyz.com and URL #2 is one of the many subdomains on PayPal website.

So, #1 is phishing and #2 is genuine.

Which is worse?

As we can see from the above,

Bait and Switch is easy to spot but hard to prove.

Whereas

Phishing is hard to spot but easy to prove.

In a bait-and-switch attack, you won’t get THE offer but you will get AN offer. You may end up spending more money and getting less value than what was promised by the ad or the sales rep but you’ll be buying what is bought by other customers who have not been subject to the attack.

In a phishing attack, you will get nothing and risk losing a lot of money.

While they’re both deceptive, Phishing is more lethal than Bait and Switch.

If you type the URL to avoid a link, you could make a typo & become a victim of a "typosquatting" scam.

If you click a link to avoid a typo, you could end up on a shady website & suffer a "phishing" attack.

Hard going online these days:(
https://t.co/pW1cOFsubt via @Finextra

— GTM360 (@GTM360) July 25, 2019

Quora Link: https://qr.ae/pGx3Fx