“This is a warning from PayPal: your account will be deactivated in the next few days.” “You’re a lottery winner.” “Your account has been temporarily blocked after unusual activity was detected.” All of these are emails that users everywhere regularly receive in their inboxes. They have three things in common: the statement grabs your attention, the sender looks like a trusted organization or person, and the ultimate goal is to scam the recipients.
These kinds of hoaxes have a name: phishing. These attacks use social engineering techniques to steal professional and personal information. Cybercriminals pose as a legitimate entity, such as a bank, an official body like a tax agency, or a well-known company like Netflix or Amazon to create trust and thus get the user to hand over their data voluntarily.
The messages are urgent in nature so that whoever receives them acts as quickly as possible. They often contain a link you have to visit to fill out the information they’re requesting (first and last name, address, ID, bank account…) either to prevent the closure of our account or to collect a large sum of money. Once the scammers have that information, they start their attack.
Their ultimate aim is financial, either through direct fraud or by selling data obtained or holding it for ransom. Sometimes phishing has other purposes: to become the gateway for other types of attacks. By using certain personal information, cybercriminals can install malicious software (malware) on our devices to control them or hijack sensitive data (ransomware) that can only be recovered after a ransom is paid.
According to the”2021 State of the Phish” report prepared by cybersecurity company Proofpoint, phishing attacks over the past year resulted in loss of data in 60% of cases, closely followed by compromised accounts (52%) and ransomware infections (47%). Other impacts reported include malware infections (29%) and financial fraud (18%).
Types of phishing
While email is usually the most common means of carrying out these attacks, it isn’t the only way. Telephone calls, text messages, and social media are also used by cybercriminals to impersonate other people or organizations and get financial and sensitive information from users.
Vishing: voice phishing. This is the phone version of phishing. Instead of using email, the attacker contacts the potential victim by phone call. They often try to trick targets by saying there’s been a problem with your account (a bank account, for instance) and that they need specific information to address it.
Smishing: SMS phishing. The hook is a text message asking the user to log in to a web page or download a file. Then, the attacker has an open door to device information, access to applications, malware installation, etc.
On social media: Instagram, Twitter, and Facebook are some of the platforms where users share experiences. They’ve therefore become a good source of information for criminals to collect personal data, which helps them craft messages to attract potential victims. With LinkedIn, this data includes the professional sphere, providing access to sensitive information from companies.
CEO fraud: in this case, the bait is the person allegedly sending the message. The cybercriminal impersonates a company manager sending their employees an email asking for help to carry out some financial operation. If the worker believes it, they may provide sensitive data about their organization or take actions that may lead to financial fraud, such as making a bank transfer to cybercriminals.
Whaling: This refers to the whales at companies, the people who belong to management leadership, and the phishing attacks directed at them to collect especially sensitive data from their companies.
Tips to prevent it
As mentioned above, while the sender of a message may seem trustworthy, this is not always so. To identify phishing and prevent data theft, there are a few indications that should set off alarms to prevent it:
- Immediacy: these urgent messages ask the user to take action before it’s too late and they can’t recover their account.
- Spelling mistakes: the body of emails, texts, and social media posts may have spelling mistakes.
- Links: you shouldn’t go to the internet address included in the messages. You can hover over the link to see where it will take you. The domains used by cybercriminals tend to be very similar to the original. To take any action, it’s best to go to the company’s or official body’s website from your browser.
Staying informed about dangers will help you spot them and, more importantly, keep company and personal data safe.
Cyberattacks are constantly evolving and incorporating the latest technological innovations. Artificial intelligence, which is used to prevent them, is already being used to develop algorithms that carry out phishing attacks.
Innovation in cybercrime is a fact. Have you heard of DeepFakes? That’s what’s next.
Don’t get swept up in the sense of urgency. Stop and think before you act.