Soon after email was invented, scam emails emerged. At the time, we all trusted email, so no one believed they could become a scam. And it turned out to be very effective. Since 2004, phishing attacks against e-banking customers have increased exponentially.
E-banking customers received emails with links leading them to fake websites with a very real and professional look. Victims were trapped by typing all their account numbers and passwords and handed them over to the attackers. From May 2004 to May 2005, losses caused by this type of attack amounted to $ 929 million.
After the first large-scale phishing campaigns, email systems began adding intelligent filters for unwanted and malicious messages, and the success of basic phishing tactics declined. But it hasn’t disappeared. In fact, more sophisticated tactics have emerged, along with other forms of phishing such as message phishing, voice phishing, and many others. They all exploit the weakest link in the cybersecurity chain: the end user.
Therefore, any anti-phishing initiative should start by educating the user about the tactics that hackers use. So let’s take a look at them.
1. Email phishing and more
Email messages with suspicious attachments or links are easily detected by security filters, so phishers needed to develop a new type of email attack. They came up with a message-based business email compromise without any malicious content – no links or attachments, just a simple message from someone you know from the work environment.
To carry out this kind of targeted attack, criminals need information about the victim and the person they pretend to be in order to engage in continuous dialogue. After the first messages, the attacker will request confidential information or send a file or document with malicious content to its victim.
2. Site substitution
In general, fake is used in all kinds of phishing attempts, since there is always someone or something pretending to be someone or something else. Specifically, website spoofing is about making a web page legitimate. A fake website resembles the login page of a real site – it not only mimics the overall look but also uses a similar domain name.
Usually, these fake sites require other types of phishing – email, messaging, SMS, etc. – to lead the victim to them. As soon as the victim tries to enter the fake site, their sensitive data falls into the hands of the attackers.
A type of website spoofing attack is a homographic attack. This type of attack takes advantage of new Internet standards that allow non-ASCII letters in URLs.
Since different languages contain different (albeit very similar) characters, attackers can use these characters to register domain names that are very similar to existing web addresses. And these domain names are linked to fake sites.
For example, the basic character substitution used for attacks is to replace the letters “o” with “0” (zeros). More sophisticated methods use characters with different encodings that look the same, such as the letters “a”, “c”, and “p” in Latin and Cyrillic. A slightly more complex trick takes advantage of the similarity between the ASCII slash (“/”) and the mathematical division operator (“∕”). Using this trick, anyone can think that these addresses are the same:
somewebsite.com∕folder.com/
somewebsite.com/folder.com/
In this case, the fake domain name is somewebsite.com∕folder.com and the real one is somewebsite.com .
3. Spam emails
If the email filter detects that a message is allegedly sent by a very well-known company such as Microsoft (for example), but the source address is different from Microsoft, it will flag the message as malicious. But if the word “Microsoft” does not appear in any part of the message, the filter will skip it.
Attackers can trick email filters by inserting hidden text in a company name so that any reader can think it comes from that company, when the email filter is not.
Another similar trick is to print the message in white text on a white background, unreadable by humans, but not by email scanners, which are misleading into believing that the message is from a trusted source.
4. Identity theft and phishing on social networks
Millions of social media users have public profiles, photos, personal information and contact lists just because they want to have many friends online.
If this is your case, it will be easy for an attacker to steal some of your photos and data, create a fake profile, and start chatting with your friends, pretending to be you and asking them for something on your behalf.
Phone numbers and name combinations are also phishing tools, especially for WhatsApp scammers (more on that below). Anyone who knows your name and phone number can contact you via WhatsApp with a compelling message to trick you into doing something, such as going to a malicious website disguised as a YouTube video you “must see.”
5. Hacking with WhatsApp
There are many scammers on WhatsApp who are as popular as the app itself. But, nevertheless, many WhatsApp users are unaware of the scam and fall in love with it. WhatsApp Gold is a popular scam that prompts users to upgrade to the ” Gold ” version of the application with special features. Obviously, there is no such version, and what you will get if you follow the phishers’ instructions is a device infected with malware.
Another popular scam is a payment request to keep your account active. This trick is almost as old as the app itself, but unsuspecting users might still love it. Always keep in mind that there is no WhatsApp account to keep you active, and therefore you don’t need to pay anything to get your messaging app to work.
6. Spear phishing and whaling
This is usually done through e-mail messages or private communication systems using compromised accounts. The FBI has warned of phishing scams using emails purportedly from the National Center for Missing and Exploited Children.
These attacks are often launched by hackers and government-sponsored computer activists. Cybercriminals use individually designed social engineering approaches and techniques to effectively personalize messages and websites. As a result, victims end up opening messages they deem safe. In this way, cybercriminals steal the data they need to attack victim networks.
Whaling is a special type of phishing attack targeted at senior executives – “big fish”. These attacks target executives, CFOs and other executives responsible for managing corporate finances and sensitive information.
With such narrow targets, decoy messages must be thoughtfully designed to have a reliable appearance. Typically, attackers use information collected from non-private social media accounts owned by the victims.
How do you protect yourself?
When you need to strengthen a chain, you must first find the weakest link and strengthen it. Thus, in the cybersecurity chain, first of all, you must strengthen the user with awareness and knowledge of the risks and their mitigation. Here are some tips that everyone should put into practice:
Be careful with all communications
Any link or attachment, whether via email, WhatsApp, messaging, SMS, or even a physical device (like Pendrive), is potentially dangerous. Before opening or clicking on it, double check it through alternate media as described below.
The most common phishing emails pretend to be known sources such as a bank, financial services company, or subscription-based service and tell you to update your credentials or subscription. The first thing you should ask yourself is: Am I a customer of this company? If not, just reject the message, or better send it to law enforcement.
Also, do not respond to suspicious messages from unknown sources. For example, you may be tempted to ask, “Who are you?” when you receive an intriguing message from an unknown number via WhatsApp. By simply asking this question, you are informing phishers that your number is active and someone is using it, and more targeted phishing attacks may follow.
Check back through alternate medium
Phishers cannot control all communications. This is a weakness that we can use against them by using different media to double-check any suspicious message. For example, if you receive an email from a coworker asking you to click on a link, call them on the phone and ask what the link is and why you should click on it.
Last but not least, protect yourself To protect yourself from phishing attacks, you must take the same precautions as you would to protect yourself from any other threat in the digital world : update your devices, preferably with automatic updates; use the latest versions of proven antivirus programs and security utilities; configure email filters correctly; back up your data; change your passwords periodically; Learn to distinguish between legitimate and false warnings and read these warnings carefully.