Google estimates that more than 12.3 million people fall victim to phishing every year. Despite the fact that the first phishing attacks were recorded at the end of the last century and traditional methods are gradually receding into the background, this type of cyber fraud continues to pose a rather serious danger for both individuals and companies.
In order to minimize the risks of becoming a victim of phishing, you should familiarize yourself with this type of cyber fraud in detail.
What is phishing?
In the vast majority of cases, phishing is the distribution of letters on behalf of fairly well-known companies that are of a mass nature. Such messages usually contain a link leading to a site that, upon initial cursory inspection, is no different from the real one. By entering confidential information in the appropriate fields, which scammers achieve using a variety of tricks, the user gives cybercriminals access to their accounts.
How it all started
The first mention of phishing related to AOL appeared in 1996.
Fraudsters, posing as employees of a media company, asked users to provide them with passwords for their accounts, and after gaining access, they used them to send spam. Distribution to payment systems began in the early 2000s, and in 2006 cyber scammers got to MySpace, stealing user registration data.
Considering the fact that phishing attacks can be carried out both on individuals and on companies, the goals pursued by scammers also differ.
So, in the first case, the goal is to gain access to logins and passwords, as well as account numbers of users of banking services, as well as payment systems and social networks. In addition, phishing attacks are often carried out to install malicious software on a potential victim’s computer.
Cashing out accounts that scammers have gained access to is a rather complicated process from a technical point of view, and it is much easier to catch a person involved in such operations.
Thus, having received confidential information, the fraudster, in the vast majority of cases, simply sells them to other persons using proven methods of withdrawing funds from accounts. In the event that a phishing attack is made on a company, the priority goal is to access the account of one of the employees in order to subsequently attack the company as a whole.
Phishing methods and schemes
Social Engineering Method
In this case, scammers, posing as employees of well-known companies, inform the potential victim that it is necessary to update personal data, or provide them, which is usually explained by a system failure or loss.
This scheme uses the fact that people usually react to significant events, in connection with which the organizers of the phishing attack try to excite the user as much as possible, forcing him to take the action that the scammers need immediately. It is generally accepted that a letter with the phrase “to restore access to the account, follow the link …” in the headline attracts the user’s attention, forcing him to click.
This scheme, in which scammers send an email on behalf of a well-known company, including a request to follow a link, is the most common, allowing millions of spam emails to be sent out within an hour. In order to steal personal data, phishing sites are created that, at first glance, outwardly do not differ from the real ones. In the vast majority of cases, domains are used that differ from real ones by literally one character.
In this case, the attack is not massive, but is carried out on a specific person. Typically, such a scheme is used to bypass the company’s protection and conduct a targeted attack. Cyber scammers preliminarily study potential victims using social networks, as well as other services, thereby adapting messages, making them more convincing.
A similar method is used in a phishing attack on top managers and company executives, and in order to get the maximum idea of the personal qualities of a potential victim, scammers spend a lot of time trying to find the most appropriate way to steal confidential information.
Often, phishing attacks are used not to steal personal data, but to harm a particular group of people. To do this, a link is inserted into a phishing message, clicking on which downloads a malicious program to the victim’s computer, with which you can take full control over the user’s computer.
Using this method, which is fairly new, scammers obtain personal data using official websites. Such phishing, when the digital address of the company’s official website on the DNS server is spoofed, and the user is automatically redirected to a fake site, is much more dangerous than traditional methods, since in this case the spoofing is simply impossible to see. Ebay and PayPal have already suffered from such a phishing scheme.
In this case, telephone communication is used, and the phone number itself, which must be called in order to eliminate the “problem”, is indicated in a letter of a notification nature. Further, already directly in the course of a telephone conversation, the scammers ask the user to provide identification data in order to most quickly resolve the issue.
How to protect yourself from phishing
First of all, you should learn how to calculate phishing yourself, and when you receive letters that ask you to “verify” your account, immediately contact the company in order to authenticate the message.
Instead of using hyperlinks, you should manually enter the company’s URL in your browser. The vast majority of messages coming from real services contain certain information that is not available to beginner phishers, such as a name or the last digits of an account, although this only slightly reduces the risks. It is worth noting that a link to a phishing site may also be contained in messages from friends whose accounts have been hacked.
Technical methods for minimizing risks
Many browsers already warn Internet users about phishing threats, for which they maintain their own lists of such sites. Mail services are also fighting, improving spam filters and analyzing phishing emails. Large companies, in order to minimize risks, complicate authorization procedures and improve the protection of personal data.
Information security expert Mikhail Tereshkov, representing JSC ER-Telecom Holding, gives several fairly simple but effective methods of protection against phishing. You need to pay special attention to whether the site has a security certificate that looks like https, and also change the router’s default passwords. When making purchases, it is better not to use public Wi-Fi, and when paying in an unfamiliar online store, you should collect more information about it.
Taking into account the fact that cyber attacks have long entered our lives, qualified protection against cybercriminals has become one of the main tasks of corporations developing e-commerce services, however, ordinary users should not forget about measures that can minimize the risk of falling into the trap of criminals.