What is phishing and how it can rob you of money and secrets

What is phishing and how dangerous it is

Phishing is a common type of cyber fraud aimed at compromising account records and interception of control over them, theft of credit card data or any other confidential information.

Most often, cybercriminals use email: for example, they send letters on behalf of a well-known company, luring users to its fake website under the pretext of a profitable promotion. The victim does not recognize the fake, enters the username and password from his account, and thus the user himself transfers the data to the scammers.

Anyone can suffer. Automated phishing emails are most often targeted at a wide audience (hundreds of thousands or even millions of addresses), but there are also attacks aimed at a specific target. Most often, these targets are top managers or other employees who have privileged access to corporate data. This personalized phishing strategy is called vailing (eng. whaling), which translates as "catching whales."

The consequences of phishing attacks can be devastating. Scammers can read your personal correspondence, send phishing messages to your circle of contacts, withdraw money from bank accounts, and generally act on your behalf in a broad sense. If you run a business, the risk is even greater. Phishers are capable of stealing corporate secrets, destroying sensitive files, or leaking your customers' data, damaging the company's reputation.

According to the reportPhishing Activity Trends Report Anti-Phishing Working Group, in the last quarter of 2019 alone, cybersecurity experts discovered more than 162 thousand fraudulent sites and 132 thousand email messages. During this time, about a thousand companies from all over the world have become victims of phishing. It remains to be seen how many attacks were not detected.

Ivan Budylin

Architect of the Microsoft Technology Center in Russia.

It is important to be clear about yourself and communicate a few things to your co-workers, friends and family. First, the industry is against us. Cyber ​​intruders are no longer enthusiastic pranksters, they are experienced professionals who, in one way or another, want to make money off of you. Second, any information has value, even if it doesn't seem important. And your activity on social networks, and the nickname of your favorite kitty - everything can be used either for direct monetization, or as an attack stage to gain access to more "expensive" data. Third, the use of multi-factor authentication and passwordless logins is gradually moving from the category of strong recommendations to the category of harsh requirements of a changed reality.

Evolution and types of phishing

The term "phishing" comes from the English word "fishing". This type of scam really resembles fishing: the attacker throws the bait in the form of a fake message or link and waits for users to bite.

But in English, phishing is spelled a little differently: phishing. Digraph ph is used instead of the letter f. According to one version, this is a reference to the word phony ("deceiver", "swindler"). On the other - to the subculture of early hackers, who were called phreakers ("phreakers").

It is believed that the term phishing was first used publicly in the mid-1990s at Usenet newsgroups. At that time, scammers launched the first phishing attacks targeting customers of the American Internet provider AOL. Attackers sent out messages asking to confirm credentials, impersonating company employees.

With the development of the Internet, new types of phishing attacks have appeared. Fraudsters began to fake entire websites and mastered various channels and communication services. Today, such types of phishing can be distinguished.

• Email phishing. Fraudsters register a mailing address similar to the address of a well-known company or an acquaintance of the selected victim, and send letters from it. At the same time, by name of the sender, design and content, a fake letter can be almost identical to the original. Only inside there is a link to a fake site, infected attachments or a direct request to send confidential data.
• SMS phishing (smishing). This scheme is similar to the previous one, but instead of email, SMS is used. The subscriber receives a message from an unknown (usually short) number with a request for confidential data or with a link to a fake site. For example, an attacker can introduce himself as a bank and request the verification code that you received earlier. In fact, scammers need the code to hack into your bank account.
• Social media phishing. With the proliferation of instant messengers and social media, phishing attacks have flooded these channels too. Attackers can contact you through fake or compromised accounts of well-known organizations or your friends. The rest of the attack principle does not differ from the previous ones.
• Phone phishing (vishing). Scammers are not limited to text messages and can call you. Most often, Internet telephony (VoIP) is used for this purpose. The caller may impersonate, for example, a support employee of your payment system and request data to access the wallet - supposedly for verification.
• Search phishing. You can come across phishing right in the search results. It is enough to click on the link that leads to a fake site and leave personal data on it.
• Pop-up phishing. Attackers often use pop-ups. Visiting a dubious resource, you may see a banner that promises some benefit - for example, discounts or free goods - on behalf of a well-known company. By clicking on this link, you will be taken to a site controlled by cybercriminals.
• Farming. Not directly related to phishing, but farming is also a very common attack. In this case, the attacker spoofs the DNS data, automatically redirecting the user instead of the original sites to the fake ones. The victim does not see any suspicious messages or banners, which increases the effectiveness of the attack.

Phishing continues to evolve. Microsoft spoke about new techniques that its Office 365 Advanced Threat Protection anti-phishing service discovered in 2019. For example, scammers have learned to better disguise malicious materials in search results: to the top display legitimate links that lead the user to phishing sites using multiple redirects.

In addition, cybercriminals began to automatically generate phishing links and exact copies of electronic letters at a qualitatively new level, which allows you to more effectively deceive users and bypass funds protection.

How to protect yourself from phishing

Improve your technical literacy. As the saying goes, he who is forewarned is armed. Study information security on your own or consult experts for advice. Even a simple knowledge of the basics of digital hygiene can save you a lot of trouble.

Be careful. Do not follow links or open attachments in letters from unknown interlocutors. Please carefully check the contact details of the senders and the addresses of the sites you visit. Do not respond to requests for personal information, even when the message appears believable. If a company representative asks for information, it is better to call their call center and report the situation. Don't click on pop-up windows.

Use passwords wisely. Use a unique and strong password for each account. Subscribe to services that warn users if passwords for their accounts appear on the Web, and immediately change the access code if it turns out to be compromised.

Set up multi-factor authentication. This function additionally protects the account, for example, using one-time passwords. In this case, each time you log into your account from a new device, in addition to the password, you will have to enter a four- or six-character code sent to you by SMS or generated in a special application. It may not seem very convenient, but this approach will protect you from 99% of common attacks. After all, if scammers steal the password, they will still not be able to enter without a verification code.

Use passwordless login facilities. In those services, where possible, you should completely abandon the use of passwords, replacing them with hardware security keys or authentication through an application on a smartphone.

Use antivirus software. A timely updated antivirus will help protect your computer from malware that redirects to phishing sites or steals logins and passwords. But remember that your main protection is still compliance with digital hygiene rules and adherence to cybersecurity recommendations.

If you run a business

The following tips will also be helpful for business owners and company executives.

Train your employees. Explain to subordinates what messages to avoid and what information should not be sent by email or other communication channels. Prohibit employees from using corporate mail for personal purposes. Instruct them on how to work with passwords. It is also worth considering a message retention policy: for example, for security purposes, you can delete messages older than a certain period.

Conduct educational phishing attacks. If you want to test the reaction of employees to phishing, try faking an attack. For example, register a mailing address similar to yours, and send letters from it to subordinates with a request to provide you with confidential data.

Choose a reliable postal service. Free email providers are too vulnerable to business communications. Companies should choose only secure corporate services. For example, users of the Microsoft Exchange mail service included in the Office 365 suite have comprehensive protection against phishing and other threats. To counter scammers, Microsoft analyzes hundreds of billions of emails every month.

Hire a cybersecurity expert. If your budget allows, find a qualified professional who will provide ongoing protection against phishing and other cyber threats.

What to do if you are a victim of phishing

If there is any reason to believe that your data has fallen into the wrong hands, act immediately. Check your devices for viruses and change account passwords. Inform the bank staff that your payment details may have been stolen. If necessary, inform customers of the potential leak.

To prevent such situations from recurring, choose reliable and modern collaboration services. Products with built-in protection mechanisms are best suited: it will work as conveniently as possible and do not have to risk digital security.