Phishing – what is it and how not to get caught?

Although the Internet and new technologies offer us a lot of benefits, they also come with their own set of dangers. Among them are hacking attacks. Both companies and private individuals can become victims. In order not to be wise after the event, it is worth being aware of potential threats and knowing how to prevent them.

One of the most common methods used by cybercriminals to steal sensitive data, such as logins, passwords, credit card numbers, or personal identification numbers, is phishing.

This method involves criminals impersonating well-known companies and institutions in an attempt to persuade the victim to give up their personal data by using an appropriate “bait”, usually in the form of false e-mails and text messages.

What does it look like in practice? Phishers send out messages containing a link to their website. The catch is that it is very similar to the real website of the company or institution that is supposedly the sender of the message. The victim, accessing such a site, does not even suspect that they have become the target of a cybercriminal. They willingly provide their data, for example logging into their online banking account.

This is the simplest yet most dangerous and effective type of cyber-attack. It does not focus on using advanced technologies, but on attacking the most vulnerable spot – the human brain.

As phishing is becoming more prevalent, new variants appear.

What are the most common types of phishing attacks?

1. Spear phishing, or attacks targeting specific people. They are carried out after a thorough verification and analysis of their virtual activity, including contact lists on social networks or comments made on forums. These attacks are highly personalized and therefore very dangerous. This makes it possible to catch the victim off guard and obtain exceptionally sensitive data.
2. Whaling – a type of personalized attack, targeting people who hold top positions in companies and thus have access to the most sensitive data.
3. Clone phishing – attacks based on cloning a real e-mail message and replacing the original link in it with a link created by criminals to phish for data. A person who is sure that they are receiving a message from a trusted source, without much thought, follows the link and falls prey to hackers.
4. Smishing – uses messaging apps or SMS to send messages to mobile phones encouraging users to click on dangerous links, often under the guise of participating in some sort of contest and winning an attractive prize.
5. Vishing – an attack carried out via voice calls. During a conversation, hackers impersonate a company or institution and pretend to be offering help, informing the caller that they have just become a victim of cybercriminals. The frightened person, wanting to protect themselves from the attack, gives their sensitive data and indeed becomes a victim of hackers.

There are many scenarios of phishing attacks, so everyone is exposed to them – both in their private life and at work. Even the biggest giants have fallen prey. In 2017, as the result of attacks on the accounting departments of Google and Facebook, more than 100 million dollars ended under the control of hackers.

According to market data, phishing is still one of the most common threats. In 2020 alone:

• There were over 32,000 phishing domains (Orange CERT report, 2020),
• The number of phishing attacks increased by 220% in comparison to the previous year (F5 Labs report, 2020),
• As many as 72% of phishing websites used valid HTTPS certificates (F5 Labs report, 2020),
• Over 50% of phishing sites used the names of existing brands and identities of real people in their web addresses (F5 Labs report, 2020),
• The CERT Poland team recorded 10,420 cyber security incidents, 73% of which were phishing attacks (Orange CERT report, 2020).

To stay one step ahead of hackers and not expose yourself to potential attacks, it is important to take preventative measures.

The most popular approach recommended to all businesses, regardless of size or industry, is phishing tests. Such controlled attempts to obtain confidential information or persuade employees to perform certain actions, which may affect company security, are carried out on a specific group of employees. The main goal is to check the level of awareness and resistance to cyber-attacks and ultimately increase the organization’s security.

During the audit, specially prepared and personalized information is used. All work is done in a controlled way, guaranteeing the confidentiality of data and security of the working environment. Those ordering the audit are notified in advance about the tests and their scenarios so that they can easily distinguish a phishing test from a potential real threat.

While phishing tests are a great solution, it is also a good idea to be cautious and apply the rule of limited trust.

Here are some tips that you should follow to ensure your safety and peace of mind.

• Avoid clicking on links from unknown sources, check the senders of incoming messages.
• Do not share your logins and passwords with anyone.
• Install anti-virus software and use anti-spam filters.
• Always check if the website you are viewing is using the HTTPS protocol.

There is probably nothing more valuable in the modern world than information. That is why data theft is becoming more common every year, and the methods used by criminals are becoming increasingly sophisticated. The use of appropriate preventive measures and building awareness about cyber security will not only protect you from potential attacks but also, should they happen, let you quickly locate the risk and minimize the consequences.