Imagine one day out of the blue, you receive an email from none other than the US Department of Justice. This email contains a summon to the court, threatening an immediate arrest for non-compliance. That said, there's another mention as well, a link to submit a petition letter to raise a dispute. But if you click this link, the hook has already sunk. And you are now a victim of a phishing attack.
What is phishing?
To give you a textbook definition, phishing is a social engineering attack used to steal user data. And what I just described above is known as an email phishing attack. But what is a phishing email then, and what are its usual characteristics? First of all things, the impersonation of an authoritative figure.
A phishing email would capitalize on the authority of the organization or person asking you to do something. And it's often paired with a sense of urgency, forcing its victim to act immediately, often without thinking first. This case with the court is a striking example of that. By trying to access the link in a phishing email, you'll get to a different website that will look the same, work the same, and even might have legitimate security measures and protocols in place.
Only minor things like a difference in the web address can lead you to recognize a fake. But if you don't succeed at phishing attack prevention, and try to log into the fake website, this website will forward your details to the cybercriminals who are now in control of your personal information.
However, email security threats are not limited to the scenario. In the first quarter of this year, hackers massively impersonated DHL, sending out millions of emails about a package that was about to be delivered. Of course, some victims didn't order anything at all, but if you'll buy curiosity, they would download an attached file anyways. Now, this will pave the road for a Trojan virus, which is capable of taking control of the entire computer including all of the data stored on it. But the DHL case, as widespread and effective as it is, is not even in the top 10 of the most impersonated brands.
Facebook, alongside social media, is this year's most impersonated brand. By itself, Facebook phishing contributes to 14% of the fake websites used by cybercriminals, which rises to 24% once all of their platforms join in. With 2.8 billion users, Facebook is a gold mine for cybercriminals. Fake emails asking users to change their password are usually the most popular example of Facebook scams employed to steal user data.
However, it can also entice users with messages containing keywords and images associated with major contemporary events. Last year, coronavirus was one of the most used topics, and right now, it is the war in Ukraine.
The worst consequences of phishing scams
So let's say you fell for it. Your name and personal details are now known to a seasoned criminal. What's the worst that can happen?
So the first thing a criminal would do is request new account pins and remake your bank cards remotely using banking details in your social security number. Then, they would also extract or use all available resources you keep in banks, and that would be just the beginning. Identity fraud is highly possible. As the information you forfeited can be used to request a new passport, driver's license, and much more.
And with those, nothing stops criminals from taking credits from microfinance organizations, racking up hundreds of thousands of dollars in credit card debt. In a single moment, you can lose all of your funds and rack up insurmountable debt. That's how phishing works. But that's the worst-case scenario. Many victims would probably suffer less, probably have their accounts hijacked, and then used for further impersonation scams to extract money or information from their social circle.
What is spear phishing?
In that scenario, a phishing attack is like a spear. Breaking through your defense and delivering a deep wound. That's ironic since the most devastating type of phishing attack is called spear phishing. In contrast to email phishing, the target this time is neither a random social media user nor a future DHL client. The target for spear phishing is researched beforehand so that the scam message will be specifically crafted for them. Impersonating closest friends, family, or business clients and partners.
Sometimes the victim would be part of an organization, and the attack would include an immense amount of background research to identify the power structure and hierarchy within that company. Then, out of nowhere, a low-rank clerk gets an email from one of the executives asking to sign a document and send back a signed copy. With the research done right, an employee won't even notice that this email is sent from a slightly different address, and will personally hand the corporate stamp and signature to the cybercriminals.
That's what happened to a Belgian Crelan bank, where one of the employees submitted the CEO's stamp and signature to a fake email, giving hackers enough resources to forge accurate transfer documents. These documents were so realistic that each one was approved by the financial department without any issues, costing Crelan bank $75.8 million in total.
While undoubtedly rarer than personal attacks, such phishing scams have already cost multiple businesses from Google and Facebook to Sony Pictures, millions of dollars of financial, reputational, and sometimes even physical damage. The problem with phishing attacks is their unpredictability. That employee of the Crelan bank never expected a criminal to pose as their boss. And a normal citizen of the US will be pretty shocked to find out an email from a Supreme Court could be completely fake.
How to prevent phishing attacks?
Now, it might be really hard to learn how to spot phishing attempts without falling into a paranoid state. The best you can do to keep yourself safe is to stay vigilant and avoid revealing any of your personal details online, especially on links included in personal emails. If you do have something to fill in, instead of clicking the attached link, visit the website manually.
Fake websites often look just like the real thing, but if you access a website manually, you can at least be sure you are visiting the real thing. Now, the same degree of vigilance should apply to text files, archives, and even images attached to emails, as they can contain malware, capable of injecting itself into your device and taking your details by force.
Be careful of these scams, and if possible, prevent the automatic loading of messages in your mailbox. Or even better, use a secure email gateway with regular maintenance of filters against spam and malware. This may prevent phishing scams or at least some of them. That's the best you can do for now without getting too technical.
What to do post-attack?
What should you do after a phishing attack has already affected you? First and foremost, contact the police. This is a cybercrime with a legitimate threat to your livelihood, and there's nothing wrong about treating it as such. Then, make sure to close or cancel all compromised bank accounts while explaining to the employees that your security was breached. If you have compromised your passport, it will have to be re-released as well.
In general, every password, document, or account that was leaked has to be replaced or reinforced with additional security methods, such as multi-factor authentication. But there are no exceptions.
Now, to summarize, phishing is not a joke. Fake emails and websites can cause tremendous damage to individuals and huge companies, and little can be done to remediate the harm. So the main thing you can do is prevent phishing attacks from ever taking place. I trust that now you know why we need phishing email awareness.
Comments
Post a Comment