Phishing - what is it and how to defend against it?

One wrong click when using the Internet can be enough to lose sensitive data, including logins and passwords e.g.: for bank accounts. A phishing attack is easy for fraudsters to carry out, requires little effort and cost, and yields big results. What is phishing and how to defend against it?

Co to jest phishing?

Phishing - the word describes a type of online scam that attempts to get the victim to provide sensitive data or hand over money. Criminals impersonate a trusted entity or person. They use convincing logos, formal language and even previously acquired information to increase their level of authenticity and credibility. In addition, the content of the message conveyed is designed to elicit emotion or a sense of urgency from the victim. Under the influence of emotions, the scammer starts to act recklessly and very often, driven by curiosity, fear or the desire to win (e.g. in a lottery), clicks on a link, downloads an attachment specially modified by criminals or provides sensitive data (e.g. for logging in) in a telephone conversation. It is the emotions under which the victim operates that make phishing such an effective method.

Fraud can take many forms:

• e-mail – phishing e-mail;
• SMS text messages - smishing;
• emails and content aimed at high-profile individuals in organisations, CEOs and company presidents - whaling;
• telephone calls - vishing.

If the victim is fooled by such a scam and provides their details, these will be used by the attacker to, among other things:

• theft of money;
• identity theft;
• committing further crimes (the so-called 'shellfish' method).

Spear phishing

This is a special, more personalised method. All messages sent to the victim are then personalised, which helps to convince the addressee of their veracity. Addressing by name, referring to a specific and authentic contract number and so on. Sometimes spear phishing criminals even impersonate friends of the victim. For this purpose, it is often enough just to look through the attacked person's friends list or posts on their social media. It also happens that once the hacker has managed to gain access to one user's account, he decides to take the next step: sending chat messages (e.g. via Facebook) to other people with suspicious links.

Examples of the use of phishing

Example one: the victim receives an SMS message from the bank. It notifies that the last payment was not successfully verified or that there was a significant security breach during the last use of the application. The next text contains a suspicious link with a request to visit it - to contact staff and provide an explanation. Once clicked, it appears that the page requires a login. If the victim decides to take this step, the hacker gains all the necessary data to rob a real bank account of money.

Example two: the victim receives an email from the bank. Its content suggests that a serious hacking of the user's account has taken place, but it is cut off at a key point, ending with, among other things, the words "Find out more - click the link". Once the command is executed, the user's device is infected with, for example, ransomware or a keylogger.

Third example: the victim receives a telephone call. The scammer, claiming to be a consultant from a company, tells the victim that they have won a competition and are due a large amount of money. However, in order to claim the prize, all contact details will be needed, including pesel number, payment card, bank account and often the password to the mobile app account. After providing these, it turns out that no prize exists and the caller drops the call.

Example four: a new message arrives in the victim's email inbox. It is supposedly written by a distant family member who is a rich man in need of immediate financial help. Extending a helping hand will be lavishly rewarded - at least in theory, because once the transfer is made, the contact breaks off.

Fifth example: The victim receives an SMS informing him that a parcel has been detained due to incorrect address details. In addition, the message contains a link where the data can be checked and updated. After clicking on it, it turns out that the victim is redirected to a malicious website.

How to protect yourself against phishing?

The good news is that although it is not easy a phishing attack can be recognised and repelled. How do you defend yourself? Here are some tips:

• Pay attention to e-mail addresses and URLs - carefully check the senders of messages and the URLs given in messages. Very often they will look correct at first glance, but there are times when changes to them are very subtle (e.g.: the uppercase 'i' and lowercase 'L' look virtually the same).
• Don't give in to your emotions - if a message triggers emotions in you, whether positive or negative, increase your vigilance. Criminals aim to make you act under the influence of emotion.
• Learn to recognise the warning signs of phishing - be aware of the hallmarks of phishing: arousing emotion and a sense of urgency, impersonation of a trusted entity, spelling mistakes, strange-looking graphics and formatting.
• Don't click on links - If a link seems uncertain, hover over it first to see where it leads, rather than clicking on it straight away. Also, use official websites and apps rather than links received by email.
• Do not give out sensitive data - remember that institutions such as banks or online services will not ask for sensitive information via email or SMS.
• Install anti-virus software to help protect your computer when using it to browse the web. Install and regularly update anti-virus software that can detect and block attempted phishing attacks.
• Do not give out your phone number where it is not needed - a fraudster will not be able to exploit avenues of communication to which they do not have access.
• Educate - tell your friends and family about the dangers of sharing sensitive data.

Who can fall victim to phishing?

Anyone can fall victim to phishing. However, individuals with little experience in navigating the internet or using mobile devices and personal computers are particularly at risk.

Having an understanding of what phishing is and the basic forms of phishing significantly reduces the chance of becoming a victim of cybercrime.