What is phishing and how it works?

Phishing is a commonly used method of fraud aimed at obtaining sensitive user information, such as passwords, credit card data, personal information, access codes, or anything else that might be useful.
Hackers could go after any interesting or valuable data which can then be resold. Some people make their living off illegal schemes like phishing, committing fraud as a full-time job.
Victims of phishing can suffer in many ways. The effects can range from simply losing access to your social media account, or more severe like massive losses of corporate data without any hopes of recovery (if the phishing attack was carried out against a company).

What are the types of phishing? 

Phishing comes in many forms, adapting depending on the hacker’s target or method of attack. The attacks might be directed at any normal individual, or the target could be the “big wigs” who make decisions at large companies.

Phishing can be broken down into several categories:

  1. Traditional Phishing, such as sending messages with fake or infected websites.
  2. Vishing – a phishing attack using phone calls
  3. Smishing – an attack by text message
  4. Pharming – covertly redirecting a user to an infected web site without their knowledge
  5. Phishing on social media

Let’s take a closer look at what phishing attacks actually look like. A very common phishing attack is a fake email sent to the victim to their personal or work inbox. The email might look like an official letter from a payment processor or financial institution, or as a message about win a lottery or discounts and promotions at a popular store. The emails may also claim to have reports of an attempt to hack into some of your data, that suspicious activity or fraud has been detected in your account, and they request that you change your password immediately. The email will contain a form for entering personal data (pin codes, login and password, etc.) or a link to the web page where this form is located. In such cases, hackers play on your emotions: happiness, curiosity, or fear.

How do you avoid getting caught in the hacker’s trap?

The best protection is to always be attentive. Check the emails that come to you. Verify the sender’s address (especially if the email claims to be from a representative of a company, do not be too lazy to go to the company’s website and verify the sender). Double check if there is any other email address displayed when you hover over the link in the letter. Also, be careful if there are no links displayed in the email at all, and they are instead embedded in the form of buttons, pictures and QR codes. And in general, do not click mindlessly on the links contained within an email, do not click on the attached pictures (they may hide viruses) and do not open the attached files, unless you are certain you can trust the email.

Links in phishing emails redirect to phishing sites. These are fake sites that are made as a copy of a legitimate site created specifically to steal the user’s data. Common examples include websites of banks or some payment services, postal services, pages with forms of authorization for different sites, etc.

There are a few signs to tell if the site you’ve visited is fake.

  • The first step is to check the URL – you may see HTTP instead of HTTPS in the site’s URL. However, technology has progressed and many fake sites work on HTTPS, so this criterion is not foolproof and you should not rely solely on it.
  • The second step is to carefully check the URL of the site for typos, changes to words that you may not notice at first glance. For example, https://www.microsotf.com instead of https://www.microsoft.com. And pay attention to domain names https://www.microsoft.t.com instead of https://www.microsoft.com. If in doubt, find the original site in the search engine and compare the addresses – this will help you understand whether your link is legitimate.
  • In addition, take a closer look at the layout of the site (font, color, margins, spelling errors), perhaps the scammers were too lazy to spend time on a good copy of the site.
Phishing calls

These are calls from fake bank employees who report suspicious transactions on your cards, asking to hear the verification code from your text message or the CVV code on your card. You might also receive calls that advertise promotions or sales but ask you for card details for prepayment – this is also a phishing scheme.

Phishing text messages

This is a simplified version of phishing emails. Sometimes, simpler is better – text messages leave less room for a scammer to make mistakes. Such messages are short, concise and raise less suspicion than emails. Smishing works similar to traditional phishing: you receive a message that there is something wrong with your data or with your card, asking you to contact their number and, if you call back, then the scammer has an opportunity for vishing. A text message can also contain a link to reset or steal your data – do not click the link!

Phishing on social media

Phishing on social media looks just like the other types we have discusses – playing on emotions. All such methods of human influence are called social engineering. That is, these are methods of psychological manipulation of people to commit the desired actions of the attacker or to divulge confidential information. You may receive a message informing you that the attacker has taken possession of photos or videos of you committing inappropriate or illegal acts. In this case, it can demand a ransom, for deleting this data or send a link as if to show you the material, but when you go to the link you will not find anything, but your device will get a virus. Social engineers can also message you posing as the administrator of a group in which you are a member and inform that you have won a prize, but you need to pay the shipping or some fee to receive it – this can also be a trap! And the most common thing that many may have faced – unexpected messages from your friends with requests for money in debt, for treatment, etc. Of course, such messages may not always be a lie, but it is better to personally call and find out.

We will separately discuss how companies are targeted by phishing attacks to obtain confidential customer information or to undermine the company`s credibility

The attack can be carried out through an inattentive employee. All the methods listed above work here, so that attackers can gain access to individual corporate accounts, and likewise important information. This practice is quite common, because very often in the news there are messages like “There was a leak, this company’s data has been compromised … As explained by representatives of the company, the cause of the incident was ‘human error.’” This makes our conclusion easy: the safety and well-being of the company depends on the awareness and responsible attitude of each employee. That is why it is necessary to conduct trainings on information security in companies, so that such situations do not happen.

In addition to gaining access to corporate accounts, attackers like to inject systems with Trojan ransomware or other trojans through phishing emails. Once in the computer, the Trojan encrypts all its contents, after which the scammers demand a ransom for the restoration of access to the information.

There are also keyloggers – viruses that read the information you input with your keyboard. These viruses collect a lot of data such as passwords, access codes, correspondence and much more.

What should we do?

We talked about what phishing attacks can be and how to avoid becoming a victim. However, if you could not avoid the attack, and the scammers managed to entrap you, run your antivirus on the device, and change the compromised password as soon as possible. And if it was used in several places, then change it everywhere – but this time, make each password different, because passwords should not be repeated. Remember that! Include two-factor authentication where possible. If you have disclosed your card details to an attacker, call the bank using their verified phone number and ask to block the card.

In conclusion, we would like to emphasize again that phishing attacks are common, quite widespread, and anyone can fall victim to these attacks. A successful phishing attack has many unpleasant consequences. To avoid all this, you just need to responsible when working on your computer and observe the basic rules of security in the network.