There is a warning of a phishing campaign in which they supplant the Ministry of Economy and Business of Spain; Be careful with the Lidl kitchen robot, they are not going to give it to you but you will receive an email that says yes; ING alerts its customers to a new phishing attack that may arrive by email or SMS; an SMS scam that reaches mobile phones in Spain pretends to be the FedEx messenger; or you are sending a text message impersonating the logistics company DHL to notify you of the upcoming receipt of a shipment.
It is very common news that we are going to read often, that affects our lives and always has the same conclusion and warning: DO NOT OPEN IT!.
What is phishing
The phishing is a scam. Its objective is to capture or steal private user data: bank account access names, passwords, credit card details, etc. To obtain this information, they resort to falsifying pages that the user knows (commonly companies or public administrations), they are duplicated and the confidential data that they want to obtain is entered into it.
There is no word in Castilian for it, but Anglicism is used. But it comes from the verb to fish. And really, it catches the user, tricks them, like a bait does with a fish, and manages to get hold of their information in order to steal their data.
Broadly speaking, to understand this practice in its most common version, you must know that the user receives a text message (SMS) on their mobile, an email to their mail account or a message in an app such as WhatsApp, Telegram or Facebook Messenger. That message can offer you a gift from a company (commonly known signatures are used), ask for a favor as if it came from a friend, or offer a common service that people tend to need, or the solution to a service (for example, saying that your bank, public treasury or a courier company needs some data to perform a conventional task)
In general, this practice is supported by social engineering and its success is based on the trust you have in the company or institution or person that is being impersonated.
These messages are accompanied by a link. When you enter the link, you will get to another page. Sometimes it is easy to see that the page is not well designed and even has serious spelling mistakes. But sophisticated attacks show pages that look totally real. And on that other page you must enter some information. Normally related to your bank and personal details. If you enter it, you are giving it away to the creator of the scam and, with that information, they can make the purchases they want while you are not aware and talk to your bank to take action and change your card or cancel your payments for a while.
How phishing came about
Phishing is an old fraud that, despite the passing of the years, does not lose steam. The term “phishing” was first documented in early 1996 by the Usenet news group AOHell and wanted to name a scam that was using the giant AOL to get private user data.
25 years later, phishing is still going strong. There is hardly a week in which Technoeager does not have to report important cases of phishing that are landing in the inboxes of the users’ mail, in some social network or in their SMS on the phone. There are no global figures on the money that this technique manages to steal from companies and citizens each year, since not everyone reports what happens. What’s more, sometimes, the theft from each of the users is cheap, so people don’t bother to go after the scam. But if we consider that millions of people can become victims of one of these scams, it is a beneficial practice.
What is clear is that, after malware, phishing is the second most used technique in terms of cyberattacks in the world, if you take a look at the studies of large companies, such as Cisco, on the main types of computer attacks.
Types of phishing
To identify one of these attacks, the best thing you can do is to know the types that there are. The most common are:
- Deceptive phishing: The most common Deceptive means deceptive. A hacker sends the user an email message posing as a person, company or entity. If what you send is an SMS then it is known as Smishing. It requests some type of personal information or contains a malicious link that sends the user to a fraudulent web page where the login information is requested. If it is a well-prepared attack, it usually carries the logo of the company, using a similar font or the name of the website to which it redirects you is similar to that of the real page (but is not the same). Under any excuse, it asks the user to enter sensitive personal information that is later captured by the attacker.. Phishing cases impersonating FedEx, DHL or ING in recent weeks are among these most common attacks.
- Malware-based phishing: In this case, the user receives an email that impersonates the identity of a brand, also including as an attached document a file that is malicious and that once opened, infects the victim’s device. A common form of this malware-based phishing is as if it were a service company that attaches your latest invoice in PDF format for you to download. Once opened, it infects the computer . This 2021 in Spain began with an attack that impersonated Correos to infect a computer with malware. In December, an email that attached a file that supposedly informing of restrictions due to Covid-19 but that infected a PC or mobile phone spread widely .
- Vishing: The word mixes the terms voice and phishing. It is not so common because it requires a lot of elaboration to achieve its goal. These attacks use social engineering to mislead victims through phone calls . The attacker, who makes calls, pretends to be a worker, technician or an organization and under this pretext tries to get the victim to provide him with personal or banking information or to make any financial contribution. As in the case of ‘phishing’, the vishing hook can be very different each time. From participating in a raffle, collecting a gift voucher or receiving technical support.
- SEO Phishing: Using SEO positioning techniques in search engines, attackers make a deceptive page rank among the most important on a search engine like Google or Bing. Thus, if a user searches, for example, for information about their bank, the objective is that this website appears among the first results and the person thinks that they are actually entering their bank’s website or to make purchases. By making purchases or accessing with credentials, you will be giving very important information that the attacker can steal.