What is phishing, and what are the signs of it? How do you avoid getting caught on a hook? Read the latest Bluebird post!
In the digital world, an unwary or thoughtless person is just as vulnerable as they are in the actual world. There are more people who access your data than you might believe, and your information may be beneficial to someone you wouldn't expect. Phishing has spawned an entire business, but with caution, you can avoid most of the danger.
Phishing - Data as a Value
Data has become one, if not the most valuable asset, in the third decade of the twenty-first century, in an ever-accelerating world of digitalization. And the data becomes more valuable the more someone tries to keep it hidden: business ideas, personal information, health information, passwords, and so on. While the information itself may be valuable (plans, patents, etc. ), it can also serve as a springboard for more damaging attacks (such as login IDs and passwords).
When something is extremely valuable, numerous people will attempt to take it. Computers and the Internet have provided thieves with unparalleled opportunities in this field, as they can steal material stored in digital form and return it to its original place. As a result, the owner may be unaware that they stole it.
How Does Phishing Work?
Phishing is one of the most frequent methods of stealing digital information. This type of cyber-attack relies on the deception of fooling the user and, in most circumstances, necessitates active participation. A common scam involves a fraudster sending an e-mail on behalf of a person or organization you believe is trustworthy. The e-mail usually asks you to click a link or open an attachment. To steal our log in or personal information, they send us to an imposter website that looks exactly like the "real" one. And the transmitted attachment frequently contains computer malware, such as an extortionist virus; the user has already infected their own machine by downloading or opening the document.
Phishing is a risk that virtually every firm faces. By 2020, phishing had already attacked 75% of the world's enterprises, with 74% of phishing attempts against US companies being successful. Phishing accounted for 22% of data loss attacks.
Practical Examples of Phishing Detection
For thousands of years, relying on fear, credulity, or good faith has been a lucrative industry. How does this work in the case of phishing? Let's look at some typical examples.
Our bank has supposedly sent us an email. In the notification, someone has misused our credit card/bank account, and we must provide our information by clicking on the linked link. This will allow them to verify our identity.
One of the online entertainment providers (Spotify, Netflix) will send us a message informing us that our subscription is about to expire. To continue, please enter your payment card information.
Google or another internet service provider has informed you that somebody has hacked their system and taken the user IDs. Of course, you'll have to enter the old one as well. (Hackers use Microsoft the most extensively for fraud, but LinkedIn, Amazon, and Zoom are also on the cutting edge.)
We'll reset our corporate password on the linked page once the firm's administrator informs us that the security software is up to date.
In most cases, phishing communications instil fear: somebody has hacked your online account, your data, money, and computer are all at risk. These have recently been complemented by pandemic information.
Following the fear, the prompt appears: act quickly to avoid further trouble.: Install this program, then click this link and fill out your information. That person is more likely to rush and not think (especially if the message seems credible), to obey the request, and to fall for the trap.
Phishers may sell or utilize the information they collect to prepare for more complicated attacks. The majority of phishing attacks occur via email, but attackers can also deliver messages via social media or SMS.
Various Types of Phishing Attacks
Just as the types of data you aim to gather during phishing can vary, so can the types of assaults.
Pelagic fishing is a good analogy for this version. The phishing scam creates a bogus website and sends false emails. It then discards the net, sending it to as many recipients as possible in the hopes of catching lots of people. Because this isn't a very well-targeted attack, it's quite easy to recognize. Why would we receive a letter from a bank or service provider with whom we aren't familiar?
Most importantly, we might be able to transform it into harsh fishing. The net is no longer cast haphazardly, but rather the target individual(s) (such as bank customers) is reached and the letter is sent to them, with a message targeted to them. They no longer accidentally drop out of the net, but reach the target person (s) (such as bank customers) and send them a letter with a message to them.
Phishing emails may already contain information (company name, position, etc.) or refer to individuals and businesses that can reassure the skeptics. This makes it easier for the target to comply with the cybercriminals' demands.
Based on its meaning, it is when phishers travel to really big fish. (before anyone remarks: yes, we know that a whale is not a fish…). In this case, the whale is a company or organization's top manager (CEO, CFO, etc.) who has access to sensitive company data or can do things that other employees cannot. They utilize them in two ways: either they try to obtain data from them or they write letters on their behalf instructing them to cut themselves into chapters and follow the instructions blindly. This is why such attacks are so deadly, especially since they are usually quite sophisticated. After a thorough mapping of the target person and their environment, they fire them to make the whole thing as believable as possible.
The letter v at the beginning of the word refers to the voice, implying that attackers can phish over the phone. A call comes in from a real-looking (audio) person. They request personal information from us, like a bank clerk needing to reconcile our accounts. However, the "grandchild hoax" widespread in Hungary operates on the same idea. The difference is that they ask for money to support the apparently troubled grandchild.
Phishing by text message, to be precise. A clickable link in the message usually leads to a phishing website.
Treacherous Signs of Phishing
The more sophisticated a phishing attack is, the harder it is to spot and defend against it. But there are always warning signs and simple ways to verify the messages are genuine.
Message From an Unknown Sender
Why would someone we've never met beg for something from us? If we're not sure, we can run these addresses through a search engine or put "phishing," "scam," or "hacking" in front of them. We virtually always get a hit when it comes to a known phishing sender, confirming our suspicions. It is also suspicious to receive a corporate email from a company with which we are an individual and to correspond with them about our private address. (The same is true the other way around.)
Unusual Email Address
The letter appears to be genuine; the sender and the company you work for are both listed, but the sender's address is incorrect. It ends differently, with a nation domain following the period instead of the usual .com address. The subdomain is in the address: we get letters from @lending.bank.com or @ext.bank.com instead of @bank.com. When a person acting on behalf of a firm uses a public service provider's address, it's extremely suspect (Gmail, etc.). They can change the address to @telek0m.com instead of @telekom.com.
For a long time, the Hungarian language has protected Hungarian users from phishing assaults. Letters in other languages stand out more. And a message produced with an internet translator that is full of grammatical and stylistic faults screams deception from afar. Nowadays, however, attackers are sending out well-crafted phishing emails in English, primarily on behalf of banks. Unofficial language, exaggeration of danger, and unusual urging can all be signs of this.
When a firm or service provider with whom you've had a long relationship begins a letter with the words "Dear Address!" or "Dear Customer!" and then signs it "Your Bank," it makes you wonder why they can't make the message more personal.
We can also recognize sites to which phishing emails are attempting to divert us if we proceed with caution. We must pay attention to the strange indicators here as well.
Misspelled Web Address
There may be minor inconsistencies, just as there are with the sender's email address. They change one letter for another and add one word to the official title. (they use 1 instead of l, q instead of g, and so on). Abbreviated site addresses (bit.ly) should be avoided at all costs because anything can be buried behind them.
If a corporation is interested in our personal information, it will only do so over a secure connection, which is indicated by the https:/ prefix on the site URL. If the connected website uses an insecure connection (http://), avoid entering any personal information on it.
Again, that's what emails are for: if we see something unusual, we should be suspicious. If it says “YOUR DATA IS AT RISK!!” in capital letters in red in the middle of the page, it wasn't the original company.
Aside from that, we can primarily rely on our common sense. Even if it comes from a seemingly trustworthy sender, don't download or open odd attachments without thinking. (hackers may have used their email address for fraud).
Let's suspect that a message or request is not coming from the usual channel. If a company representative contacts us with an odd request, we should call them to confirm the letter's origin. Let's do this even with our boss: it's a little disadvantage compared to handing over tens of millions of HUF to a con artist. (see our examples).
The Most Serious Phishing Scams
The examples below show how hackers can use phishing for a variety of purposes, leaving even the largest corporations vulnerable.
In 2014, phisher(s) sent a spear-phishing email to several Sony employees, including the CEO, using LinkedIn names and email addresses. In addition to stealing login IDs, they also installed malware on Sony's system. They stole over 100 terabytes of data from the company, including internal correspondence, personal information, and unreleased films. The damage was around between $80 and $100 million.
2. Facebook and Google
Even if a scam that cost two IT giants $ 90-100 million could be labelled a joke, the two firms were mocked by the same individual, Lithuanian Evaldas Rimasauskas. He looked into a Taiwanese company that was a supplier to both companies. After that, he issued phoney but completely authentic invoices on his behalf, complete with all relevant documents. He continued his illegal operation for several years until the authorities seized and extradited him to the United States, where he is currently serving a five-year jail sentence.
3. Crelan Bank
Crelan Bank of Belgium was the victim of a well-planned targeted phishing assault in 2016. On behalf of the company's CEO, the attacker wrote an email to one of the employees, asking him to transfer money to the account listed in the letter - which, of course, belonged to the cybercriminal. Although the specific amount of money transmitted was not disclosed, the corporation ultimately confirmed that the attack resulted in a total loss of $ 75.6 million.
In 2016, an employee of FACC, an Austrian aviation supplier, got a letter from the company's CEO (supposedly) requesting a € 42 million transfer as part of a takeover effort. The employee was unaware of the deception and proceeded to transfer the funds. Probably, he wasn't the only one to blame: he claims that the company fired both the CEO and the CFO after the internal probe.
+1: Colonial Pipeline
We may recall that in May of this year, fuel supplies on the east coast of the United States were disrupted due to a blackmail virus attack on one of the major distributors, Colonial Pipeline. The extortionist virus, on the other hand, was almost certainly able to get access to a company's systems by using a password obtained during a phishing attempt. The company eventually paid “only” $ 4.4 million to the attackers, but supply difficulties and the resulting skyrocketing fuel prices were an invaluable cost to the U.S. economy.