WEBSITES – Internet Security: Phishing
Following on from the previous article, we are going to look at the most common cyber-threats, with some technical details, examples and tips to avoid and also what to do after being a victim of each of them.
This week, we focus on Phishing, a technique whose name comes from a small play on words, with the word “fishing”, which means “fishing”, and which, practically, looks like a “fishing” for data, or victims in a variety of ways.
The term phishing, as mentioned, comes from the word “fishing”, to which the letter “f” was replaced by the letters “ph”, in an allusion to a technique that emerged in the early 1900s, which was called “telephone phreaking”, a practice which boils down to a group of people (aka phreaks), who performed tests and experiments on telecommunication networks, in order to find out how they operate, and what were their limits of operation (which often led to communications breaking down).
This technique was born in the middle of 1996-1997, with successive thefts of AOL (America Online) accounts, an American telecommunications portal, where hackers stole users’ passwords in order to gain access to someone else’s accounts, for different purposes.
Today, phishing is one of the biggest threats to Internet users and companies, as it is no longer associated only with a specific entity, but a global practice that affects thousands of services and millions of users.
Phishing differs from the way it operates, depending on the type of attack. Each type will, also, have a different scope and urgency:
- Email phishing: the most common method of all. Usually, the user receives an email from an official entity, or from a friend or collaborator, with a link that leads to malicious, fake #websites, where personal and/or banking data will be requested. Subsequently, the user may be barred from accessing email accounts, homebanking services (access to the bank, etc.). Later, we will talk about some types of emails, in the examples we have to show you;
- Phishing site: here, pirates use falsified sites, which lead users to enter personal or bank details, in order to be able to gain access to accounts or, even, to clone credit cards;
- Vishing: lately, we have been witnessing, in national territory, an exacerbated increase in this type of attacks. This is voice phishing made by phone. The pirate pretends to be a technician from an official company, whether banking or technology, and tries to convince the victim to give up personal, banking data or access to their computer or phone, not only with the aim of stealing credentials, but often create the idea that our equipment is compromised, and that you have to pay a (large) amount, in order to solve the problem;
- Smishing: that message from CTT or transport services, or notice of a missing payment from an electrical, banking or technological service provider, this is smishing, that is, phishing by SMS. Usually, it works like an email, and, if successful, it will either provide access to the victims equipment or some sort of financial benefict (when associated with a fake fee or payment due);
- Social Phishing: this type of attack is related to attacks through social networks, mainly messaging services such as Messenger or WhatsApp. It boils down to sending messages to users of the most diverse types, from extremely cheap products, to messages of a sexual nature, and, when the user accesses a supposed link, he is entering malicious #websites, or allowing the installation of malicious applications, which will try to exploit possible security breaches on your equipment.
Within these attacks, we can also subdivide, in a more detailed way, each one of them (such as spear phishing – consists of direct attacks on specific targets, namely, students or members of a certain company, faculty, etc , clone phishing – forgery of #websites and official emails, whose sending address is strange, whaling – oriented towards managers of medium/large companies, etc.), however, the operation is, in general, very similar between them.
Generally speaking, phishing always needs user authorization or validation. Whether through email, message, phone call, or access and entry of personal and private data on fake #websites, the user is ALWAYS the biggest obstacle to pirates.
“I have been working with computers since I was a kid, and I never had any problems, until 2017. I received an email from my bank – or so I thought – in which I was told that there was an update to the security standards, and I would have to follow a link to login and recreate my login credentials.
When I entered there, I came across a page, in every way, identical to the official one of the bank, and I followed the steps that were given to me. In addition to my personal codes, I was asked for a photocopy of my coordinates card, which I handed over without any suspicion.
During that same day, I received a call from my account manager, questioning about consecutive withdrawals and payments from my account, in a total amount that already exceeds 12 thousand euros.
All my access credentials were deleted and resetted, and the authorities were duly informed. Subsequently, the bank reimbursed me for the amounts spent, with the exception of some smaller amounts, which were not covered by bank insurance. I learned my lesson well” – D. R. P. entrepeneur, victim of email phishing.
“At a time of monetary despair, I received a message from someone who pretended to be my relative, with a proposal that seemed attractive. There was an amount, from another family member, held in a bank abroad, to be given to the next of kin. That family member who contacted me said he would take care of everything, I would just have to be the “face” and submit some data, and with that, I would raise the money, being the same divided 45-55%.
Being stupid, and in despair, I accepted. Halfway the whole ordeal, I discovered that it was a scam, in which my data would be used for a payment, via WESTERN UNION, to a certain PO Box, in a third world country, and since it was all in my name, I would be responsible for that fraudulent payment. Incidentally, I was lucky, but I was still forced to make telephone statements to the police of the country in question. Never again” – C.M. C.N.C. operator, victim of 419 Scam, a form of phishing created by Nigerian students during the oil crisis in the 1980s, which aimed to obtain funds for illegal operations. This type of activity is currently carried out by authentic criminal groups, normally associated with violent crime.
These two examples are some of the most common, however, in European territory, we have been affected by a huge wave of vishing, that is, phishing by phone.
Below is a first-person example of a recent attack on a Portuguese pensioner with little to no computer knowledge.
“I got a call from an individual who started by asking if I spoke English, and who introduced himself as calling on behalf of Microsoft tech support, and that several signs of illegal activity were detected, from my computer and my phone.
He asked me to install an application, so that he could not only show the errors in question, but also access my computer to solve the situation. I followed the instructions given to me and gave complete access to the person in question. As soon as I shared the access key, I was immediately without no image on my computer display. The operator said it was an obvious sign of computer hacking, but it would resolve it quickly.
The image came back a few minutes later, and the operator asked me to open whatever program I wanted. So I did, and I couldn’t get into any, always with the warning message that the program was not found… The operator then presented me with a solution: I pay 1500 euros, and he resolved the situation in a few minutes. I accepted, made the payment, by bank card, and in a few minutes, everything was resolved, or at least looking normal.
A few days later, I had problems with the computer again, and I am contacted by a new operator. My grandson, who was nearby, told me to hang up, because it was fraud. From what he told me, they call a random number, and as soon as we answered, they tried to convince us to give them access to our computer. Then, they turned off our monitor and changed some folders or files’ location, so that our programs would not work. Then, they turn on our display again, and asked us to enter a program, which would give an error. When we make the payment in question, they would turn off the monitor again, put the files in place, and thus earn large amounts, with a scam.
As it had crashed once, my grandson chose to format my computer, and I never had problems again. When something strange happens, I ask my grandson or someone else to help me. I was left without 1500 euros, but with a good lesson.” – R. M L, retired, victim of vishing.
This last case has become quite common, at least on European soil. With the pandemic situation, the number of attacks via telephone, has been largely increasing, mainly due to remote working and the users are more prone and vulnerable.
What to do if you are a victim of this type of crime?
The first thing to do, when there is suspicion about whether or not there has been any breach, is to alert the authorities and entities involved. In the case of a service operator (phone, electric, etc), they will try to carry out internal audits, and reset the user profile, with a “clean sheet”, so that extra service fees are not applied.
In the case of bank details, when alerting your bank, they will cancel all access to your account, as well as the cards that have been provided in the meantime. New credentials and new cards will be issued, and an analysis of the situation will be carried out, with objective to find a solution that makes it possible to return, if not all, at least a large part of the amount that may have been diverted.
The user should also change all the passwords of his/her services and sites, and opt for large and complex passwords, with numbers, uppercase and lowercase letters and symbols in the mix. You can and should save them, preferably in a place outside your computer, in a physical notepad, and you should not save them in your browser, to avoid possible security risks.
A tool that can be useful to check for any leaks is the Have I Been Pwned tool, a project created by Troy Hunt, an online security expert, that analyzes your passwords and your emails, comparing them with a database of information taken from attacks, looking for possible security risks. In case your email or your password is affected, what you will have to do is change it to a more resistant keyword. You should avoid repeating keywords.
How to avoid falling into this type of attacks?
Most phishing attacks are easy to avoid. Therefore, the user must:
- Avoid emails that begin with: “Urgent” “Awesome deal”, “Alert”, “Avoid fine”, “Proceedings opened at (your name here)”, “Claim your reward”, “Won a prize”. Typically, these types of emails serve to raise interest and curiosity. Opening them does not bring any harm, but you must not, in any way, send data, open attachments or follow links that come in these emails;
- Analyze the email text. Typically, phishing emails are poorly written, with grammatical or syntax errors. This is one of the first warning signs;
- Strange sender address, with errors or, in the case of an official entity, with a public email server, such as Gmail or Hotmail. Normally, this type of emails, when from official entities, use email servers in their own name, or private, and not public servers;
- These emails demand immediate action, a sense of urgency. This, too, is a warning sign;
- In case of doubt, you can always contact the sender, through official channels or some alternative means, in order to be sure that it is a valid email.
When it comes to Entreprises, these types of attacks also do a lot of damage. There’s even an attack that aims members of companies or economic groups, called whaling (pun on “whale”), which works in the same way as the others, but aimed at entrepreneurs or company CEOs. Such attacks can lead, for example, to a breakdown of communications between the various branches of the company, because one of the administration elements is unable to access his/her internal accounts.
Some numbers to keep in mind:
According to the US security company SANS, 95% of attacks on companies result from successful spear-phishing.
According to 2018 data from the company Verizon, 30% of phishing emails are opened by the target audience and 12% of that audience clicks on associated links.
From 2017 to 2022 there was a 14% increase in phishing attacks (from 72 to 86%) just for the English markets, and in the rest of the world, the numbers follow this growth.
In 2019 alone, in the United States, companies and individuals affected by this type of attacks, found themselves with a total loss of around 3.5 billion dollars, and, in addition to emails, social networks, also started to have an added load for this type of situation (176% more only on FaceBook).
Overall, 83% of all business attacks worldwide started with a small phishing attack, usually via an email campaign with malicious links.
Around 32 to 47% of the world’s companies have been the target of widespread phishing attacks (this is in a pre-pandemic scenario).
In the last year, around 69% of companies were targeted by phishing attacks, with around 12 to 15% being successful.
These values are a bit general, and have some limitations, however, figuratively, they show how dangerous it is, not to take the necessary precautions, in a situation like this.
How to protect your business and the internet users who visit it?
At #UNNE Design, we pride ourselves on our attention to the safety of our customers. Our sites have, configured, active surveillance tools, in case of malicious scripts (code snippets), and, in case of personal data registration, all our have the ability to double security verification, or Two- Factor Authentication, which allows the user to have two means of authenticating data, making forced entries into his account impossible.
Likewise, all communication between the customer and our company is carried out through official channels, without changes and duly identified, and all correspondence is previously analyzed for the possibility of any breach of security.
Talk to us. At #UNNE Design, we care about you and your business.
UNNE Design | Create Curiosity
#websiteswithquality only at #UNNEdesign