Phishing — The Dangers You Absolutely Need To Know When Using the Internet (Part 1)
The global coverage of the internet along with its amazing utilities such as social networking or online finance management led it to an easily abused means for criminals to attack its users, where the aimed victim can be anyone, including us. Do you know that 91% of all cyber-attacks begin with a phishing email to an anonymous victim?
As technology gets more advanced, so do cybercriminals’ techniques. In this blog, I will go through different phishing technologies aimed to the internet end user so that we can recognize and prevent ourselves from phishing attacks.
What is Phishing?
The term Phishing refers to attempts to impersonate a trustworthy communication partner in an electric communication, e.g. via the internet or telephone line, to trick the victims into performing actions that benefit the sender. This communication partner could be a business unit or reputable organization: bank, auction site or information technology (IT) administrator are unsuspecting public titles.
With a little bait, such as fake notifications of lottery win or a system error report, the cybercriminals can request the users to install malicious software or share their information, such as usernames, passwords, and credit card numbers. As a result, account plundering or identity theft is committed, or malware is installed.
It is a form of social engineering that exploits the victim’s extreme feelings like gullibility, curiosity, or fear and will become a big concern as most of internet users today do not have sufficient knowledge or are not alert about this type of cyber criminal.
Younger generations (51% of “Gen Z” and 44% of “Millennials”) were more likely to be victims of harmful cyber activity (e.g., phishing attempts or data leaks) that resulted in the loss of money or data compared to older generations (21% of “Baby Boomers,” and 13% of “Silent Gen”).
Phishing attack methods
1. Phishing-Mail
Typically, the same Phishing-Mail will be sent to a series of users requesting to fill in a form with their personal information. To make it easier for users to be fooled, these emails appear regularly with urgent tags under the name of some unsuspecting public titles.
Sometimes, the users may be asked to fill out a form to access a new service through a link provided in the email. It is decorated to look like an official email: the sender’s name, the design and the official logo of a business unit.
Suppose the user fills in with their personal information, this information will be used by scammers for their illegal activities. In the worst case the credit card information will be scammed, which leads to financial damage to the account holders and/or the merchants involved.
Additionally, personal information could be sold by scammers for money: in fact, there are always platforms on the internet where personal data is traded illegally and without owner’s permission.
Spear-Phishing is a subform of Email-Phishing. While normal Phishing-Mails are targeted to a broad audience, Spear-Phishing uses fake news and websites tailored to a small group of people that they want to infiltrate and retrieve more valuable information. In this form, the hackers “improve” their Phishing-Mails to make the attack personalized, increase therefore the reliability of those mails and the success rate.
A special form of Spear-Phishing is Whaling — as the noun “Whale” refers to the giant creature under the sea, whaling criminals target C-level positions (CEO, CFO, and other senior executives) who have broad powers and access to highly confidential information. The term whaling is derived from the fact that particularly influential people in the context of cybercrime are also referred to as “big fish.” The account credentials of these high-value victims often provide a gateway to more information and potential monetization.
2. Smishing — SMS-Phishing
Smishing is a type of Phishing where the scam activity is carried out through a phone-based text messaging service. For instance, it can be a libellous message that attempts to entice victims to reveal personal information through a link to a phishing website. This type of phishing attack is more visible because people receive SMS-Notifications and read text messages at a higher rate than emails.
A representative case study of Smishing is the “Coronaphish,” which exploits people’s curiosity and fear about the pandemic and tricks them into clicking on malicious links. The COVID-19 pandemic brought out all kinds of impacts worldwide, scaring everyone that they themselves or people, who they feel responsible for, would get infected.
Capitalizing on this viewpoint, cybercriminals have launched a new phishing campaign that claimed to have insider information about the pandemic and quarantine situation. However, instead of the promised top-secret information regarding “incoming quarantine information,” the link downloaded the BazarLoader backdoor trojan.
This phishing campaign has targeted hundreds of organizations primarily based in the US and Canada. Once installed, BazarLoader allows cybercriminals to access the victim’s computer remotely, and from there, compromise the rest of the network. Once an organization’s network has been compromised, cybercriminals can install malware, such as Ryuk ransomware that encrypts and exfiltrates data.
3. Vishing — Voice scamming
Vishing is another type of phishing in which the scamming action takes place via phone calls. Typically, attackers call the victim with a pre-recorded code — sophisticated autoresponder system, which can be more “trustful” towards the user and request them to dial a number to obtain personal bank account information.
In a real-life Twitter breach, a group of hackers posing as “IT Staff” were able to convince Twitter employees to hand over login credentials through phone conversations.
In other ways, the scammer poses as a representative of Medicare to ask for users’ health insurance information or Social Security Administration who threatens to suspend or cancel their Social Security number. It is the most common method that scammers use to reach older adults.
In this situation, the crooks often aim at financial information from the victim, such as their health and social insurance number or bank account details. Once they have the data, they will fraudulently use victims’ Medicare benefits or steal their money. Unless you’ve requested contact, these federal agencies will never contact you by any way of connection, e.g., email, text messages, or social media channels. So, be skeptical of anyone who calls you with an offer.
Another common vishing trick is tricking the victim into saying yes to provide personal information or to accept a fake order via phone line. Criminals often start a call with a long, quick statement, ending with the question “Do you understand and agree with it?”. People who are not able to process information quickly, such as foreigners and the elderly, can easily say yes and are tricked into a thousand-dollar fake invoice.
4. Do you know some others type?
In the next parts of this blog series, I would like to list some more common types of phishing, such as fake websites or phishing via search engines etc. Noticably, I can’t list all of them and as internet user, you don’t have to have knowledge of all types.
However, it’s of great important to know how phishing messages are generated and what channels attackers use to reach you. Moreover, it’s consequentially worthwhile to share the basic knowledge about these technological crimes as everyone, from personal users to large organizations, can be their potential victims.
To you as individuals, there is no waste in staying vigilant while surfing the internet because there are many people out there who want to trick you into giving out your details. Awareness of such threats is the first step in preventing your computer from being compromised by an attacker.
I hope the above article may help you with your personal experience.
