What is Phishing??
How to recognize it and how to avoid it. We'll tell you!
What is Phishing?
It is a type of cyberattack where someone masquerades as another person, company, or entity, intending to take personal information, passwords, access keys, or sometimes directly your money.
The 2 keys of this attack are:
To achieve a perfect imitation to lure the victim and generate trust.
Generate a sense of urgency or a quick and unthoughtful response.
Types of Phishing.
Phishing by Email: A fake email, trying to copy the same used by a real company or person. They will demand information or have any link to a fake page or malware.
Spear phishing: Special emails sent directly to an important person in organizations with the target of taking confidential information, and money or infecting the system with malware.
Links manipulation: A link to access a fake copy of a real web, which will demand to log in or add the bank/card details to take this information.
Whaling (CEO con): Impersonate a company’s CEO to obtain access to special information or money from other workers or companies.
Content injection: The attacker can inject code into an official website, to trick them by accessing a pop-up window or an external website.
Malware: The users are lured to download a file with malware. This malware will steal files, information, and passwords or encrypt all the files in the system.
Smishing: Used with SMS to lure users to access fake websites by using commercial promotions or government alerts.
Vishing: The attackers use software to change the voice to leave a voice message, where they tell the victim that they should call a phone number where they can be scammed. Voice changers are also used when talking to victims to disguise the attacker's accent or gender to impersonate a fraudulent person. Now, AI is also used to copy the voice of family members in urgent circumstances to ask for money.
Malicious twin Wifi: By impersonating a free Wifi network, attackers trick users into connecting to a malicious access point to perform man-in-the-middle attacks.
Pharming: Pharming is a two-phase attack used to steal account credentials. In the first phase, malware is installed on the victim and they are redirected to a fake browser and website where they are tricked into divulging their credentials. DNS poisoning is also used to redirect users to fake domains.
Angler phishing: Using social networks, attackers respond to messages posing as an official organization and trick users into divulging account credentials and personal information.
Watering hole: A compromised site offers endless opportunities. An attacker identifies a site used by numerous targeted users, exploits a vulnerability in the site, and tricks users into downloading malware. With malware installed on victims' computers, an attacker can redirect users to fake websites or send a payload to the local network to steal data.
How to identify it?
In the case of websites, the best option is by checking with detail, the URL. Many fake Webs try to copy the original names, but change any character or work by subdomain. A good point is to check if they have a Digital Certificate. I recommend using this website to see when a website was created. Suspect any recently created page!
In the case of emails and messages, the best option is to check again any possible link. If they are asking for something very urgently, it is most likely a trap, especially if it comes from your boss 🤫, we know that a good boss would never ask for something urgently.
If a family member, co-worker, or close friend talks to you via WhatsApp or calls you to ask you for money urgently, make sure it is first this person through memories, information, or some password that only both of you know. Voice is no longer a safe way to trust. If they are cousins or ex-partners, it is better not to trust them, even if they are real!
In general, they will always seek to generate trust by usurping the identity of a company, entity, or someone, and then asking for money very urgently to avoid any meditation or verification.
How to avoid it?
At side to avoid any urgent request of money. Avoid giving any personal details. If you are not completely sure, ask other people about it first. One common way used in the UK was a call to the victims to tell them that there were problems with some taxes and that they should pay them urgently to avoid immigration legal problems.
When browsing websites, avoid giving any card details at least, only if you are 100% sure about the place and its security. This is a big back to small e-commerce but they are more likely to be hacked than big ones like Amazon, eBay, Argos, or Etsy. Also, make sure that the website is legitimate, the more important a website is, the more they will try to imitate it.
When downloading software, try to use the official distribution channels. Only this way you can be almost sure that it does not bring any malicious software.
Furthermore, avoid answering or any link inside of any suspicious message, including also unknown websites, applications, and almost any pop-up window.
Finally, try to avoid using public wifi networks. In case of use, verify that it is legitimate and that there is no other with a similar name. During its use, avoid providing sensitive information as well as making any form of payment or access to banking applications. You'd be surprised how cheap it is to create a fake wifi network under the Starbucks name at a tourist site just to steal information. And don't steal your neighbor's wifi either if you suspect he has advanced computer skills!
What if I have already been a victim?
After sending your information to an attacker, it will most likely be shared with other fraudsters. The first thing to do is to verify what information may have been compromised and proceed to change passwords, cancel cards, and verify that double verification is enabled in the access. Reporting if possible is an important step to avoid future scams. In the case of the UK, this can be done through the Nationa Cyber Security Center.
You are likely to receive vishing and smishing messages, new phishing emails and voice calls. Be alert, and watch out for family and friends, as they may use the information that they got to try to defraud them as well.