Recently in our magazine, we talked about IT security in the company and typical mistakes not to make. Today we want to return to the subject because we are fresh from a case of phishing committed against one of our clients. This opportunity is useful for dealing with the subject in its vastness and complexity: in fact, there is not only One type of phishing.
The attack methods are many and range from the most sophisticated to the simplest. But let’s start with the definition: what exactly is meant by phishing? The etymology of the term remains debated (some claim that the original “fi” of “fishing” has become “phi”, who cite the pseudo-etymology and so on). What is certain is that the term phishing refers precisely to the action of fishing (fishing means “to fish”), and therefore to the luring of the designated victim via the web. The reason for this stratagem?
The primary goal of phishing is to steal data, personal information, login passwords, and so on. The tools are varied and include emails, websites, and more. Over the years we have faced dozens of such situations, trying to quantify the damage first, and then change passwords and recover any data if possible.
The worst thing is that in many cases the villain on duty has already committed the crime when it is too late (transferring money from the PayPal account, withdrawing from the prepaid card, etc.), but it is good to remember in any case to protect yourself by avoiding that a scenario of the kind is repeated. So let’s see five practical examples of phishing and a recent case study.
1.Email Camouflage As If They Were Real
Stealing a user’s credentials is easier than it looks: just ask them by email. Not directly, of course, but through a mild deception. It’s email phishing, the same one we’ll see in the final case study. In practice, the victim receives a message to his e-mail box, opens it, and fills in a form, downloads an attachment, or takes any other action. This action triggers the phishing activity or becomes a prerequisite for the success of the scam. A good spam filter helps, but it’s not always enough.
2.Bad Bank Sms And Smishing
Same method, different channel: if instead of emails we adopt the dear old SMS as a tool, phishing turns into smishing, a technique based on the use of SMS containing a malicious message intended for the victim. The bogus banking SMS is the most popular, a few lines of text asking you to click a link or reply with your data, and we are headed.
But it is not only the bank that is the protagonist of smishing. Credit institutions, insurance companies, pension funds, and even the FBI (yes!): The corollary according to which those who know our number are necessarily worthy of consideration is hard to die …
3.Sites, Landing Pages (“Landing” Page Where The Information Is Inserted) Or Counterfeit E-Commerce
The less direct but more subtle phishing technique is that of the counterfeit site, whereby site we mean landing pages, e-commerce, and web pages in general. In this case, the hacker creates a site that is faithful to the original (it also happened for a period with PayPal): users login in good faith, perhaps exchanging.it with the .com, enter their credentials and think they can manage what they want. as they always have. Meanwhile, their data is stored and then reused to access the real portal, with all the negative consequences we can imagine. Any advice? Attention to the URL of the site, which must be at least understandable and accompanied by a special padlock(safety certificate).
4.Links Manipulated Inside Newsletter Or Email
Ever received a newsletter you didn’t remember subscribing to? Or an email from a stranger who proposes himself as a partner or buyer of your property (see items for sale on Immediately or eBay)? Great, then you have tested for yourself what it feels like in front of an artfully manipulated link. Here too, one click is enough to fall into the spider’s web: various alternatives follow, from filling out a form to landing in a malicious landing (point 3). As you can guess, phishing techniques are often combined, making them even more effective for those who are not prudent enough.
5.Telephone Calls (Vishing) And Social Engineering
Phishing seems limited to the written digital part (email, sites, etc.), however, it is not how things stand: in fact, has always existed and continues to exist the telephone fraud, evolved into what is called social engineering. Vishing – this is the technical name – is a system that involves deceiving the victim by telephone, for example by pretending to be a call center (from the usual bank or the usual insurance company). The purpose, as for social engineering, is to collect useful data and then exploit it illegally. Here is our post about it published on LinkedIn.
The Case Study Of A Phishing (And How To Defend )
And so let’s come to our case study, which happened to a client on 1 December 2020. The attack happened in this way:
- The customer received an email from a known contact (actually from the replica of the contact’s email address)
- The content of the message included sharing a court order
- The victim, to access the file, had to open it and then click on the link inside the PDF
- The trap is triggered: the user sees a pop-up banner appear in which they are asked to enter their credentials to read the PDF.
If you want to protect yourself and mitigate the effects of these attacks, we recommend that you:
- Use reliable and professional email systems
- Update your software and computer programs (thanks also to our Managed Security Service )
- Never provide personal information via the web or telephone