The rod and the bait – meet phishing
The scam described above is called phishing (derived from “fishing” = catching fish) and is a prevalent form of cyberattack. It uses electronic mail, Instagram, Facebook or Twitter but also text messages and phone calls.
Phishing aims to mislead a recipient to achieve certain benefits. The scammer uses personal data, access to a bank account, a computer, or confidential information if the user stores it on the workstation.
- The fishing rod is the communication channel (e.g. email, text message)
- The bait is the manipulative message
- The catch is the information that provides the cybercriminal with specific benefits such as access to a bank account, a government institution, confidential corporate information.
Phishing messages are crafted with a lot of care to look as much like actual correspondence from a trusted sender as possible. Phishing emails addressed to the mailboxes of employees in public institutions or corporations are especially critical. They may compromise data not only of an individual but also the work of the entire organisation.
Another category of attacks is spear phishing, by targeting specific organisations or employees at particular positions.
Such messages are created with the use of social engineering techniques.
It is not uncommon for scammers to perform surveillance on the Internet about the person or the specific position at which the person works.
Whaling, or hunting for a “whale” or “big fish”, is a separate category of phishing.
“Big fish” are CEOs of large corporations, senior executives and similar persons at high-level positions. Messages crafted for whaling require much more effort from a cybercriminal than phishing addressed to random users.
People at high-level positions are more widely educated, intelligent, and well-read, making it harder to trick them.
Although the situations in which cybercriminals are successful in whaling are infrequent, often only one click per tens of thousands of emails is enough for the company to suffer millions of dollars in losses.
The same applies to a category of phishing known as CEO fraud. The criminal impersonates a superior in order, for example, to instruct a bank employee to make a transfer to a designated account.
An exciting and treacherous case is also clone phishing.
This type of attack is usually preceded by breaking into and stealing company resources through an original, previously sent email (including the list of recipients and an attachment or link) replaced with a malicious one and then resent.
Clone phishing is one of the most dangerous attacks because it is hard to differentiate it from genuine emails.
You receive communication which content you know well because you usually receive several of them during the day. And without thinking, you click a link.
However, the link does not lead to the familiar website; instead, you have become a victim of a phishing attack. And malware will probably be installed on your workstation by the scammers.
Vishing and Smishing
Not only electronic mail can be a communication channel for phishing scammers.
With voice phishing (vishing), the attack occurs through the automatic dialling of many telephone numbers. It will play a previously prepared recording, providing false information about an unauthorised transaction from their account and the like.
It is dangerous as the telephone number is consistent with the number assigned to the bank’s hotline. And a voice message tells us to call the phone number to resolve the problem. You will connect to a scammer who will trick you into accessing your bank account.
With SMS phishing (smishing), the scammers ask the user in the text message to contact a specific phone number, click a link or write an email to a specified address. Then the whole process of social engineering and phishing occurs.
Slightly less common - and one of the most dangerous phishing attacks - is page hijacking. This includes manipulation of the content of an existing website to steal user data.
The website you usually use appears normal, but when you enter it, you automatically download malware, and the attacker may steal data from your workstation.
There is a particular method used by Internet scammers – manipulation of the domain names. The scammer changes just one letter in the URLs, and everything looks all right at first glance, e.g. onlne.mbank.pl instead of online.mbank.pl.
It is easy to overlook such a typo; thus, browsing a fake domain and entering your online account login information can be disastrous.