Three tips to protect yourself against phishing

- What is common in our grandmother, granddaughter, boss, Elon Musk, and well-known banks?

- Well, … phishing-like cyber-attacks are committed in the name of all of them. Thus, our families, our employers and our own companies could become victims of multi-million-dollar scams. In four paragraphs, this article outlines the main types of phishing attacks and the simplest strategies to defend against them.

*

Phishing in a new era

Phishing is a type of cyberattack, by which cybercriminals steal confidential information from us by sending deceptive messages, the preys of phishing could be:

• online banking login details,
• bank and credit card details,
• business login details, or passwords.

Furthermore, cybercriminals can use our personal data to build huge databases, that they can sell or re-use for a later attack. By obtaining our most personal data, such as our sexual orientation, religious and political views, cybercriminals can create even more sensitive decoys for us.

It is worth mentioning that researchers from Stanford University and the University of Cambridge showed back in 2011 that our activities on social media platforms - the vocabulary of our posts, our likes and emoji usage - are good approximators of our psychological pattern, wherewith outsiders can predict our purchasing preferences and political thinking too. With data analytics techniques based on Artificial Intelligence (AI), we have entered an era where our privacy is eroding: every piece of data we publish, contributes to a more accurate behaviouristic picture of our actions and motivations. What is more, communication strategies based on such analytics can also influence the development of our personality, - warns us Harvard University professor Shoshana Zuboff. Thus, with data analytics techniques based on AI, it is not only possible to analyse our political thinking or consumer preferences, but it is also much easier to produce messages that we are more likely to click on.

Types of phishing activities

Cybersecurity experts classify phishing attacks in several ways. For example, there are three groups of attacks based on the size and focus of their targets:

• Spearphishing is a well-targeted, often personalised attack that focuses on small groups, companies, or organisations.
• By Business Email Compromise (BEC), attackers disguise their baits as payment requests and incoming offers that appear to be business emails. These are targeting at the senior management level of the companies or those who entitled to receive invoice payments.
• Phishing is the general term used to describe all attempts with tracked messages, designed to reach as many readers as possible, to increase the attackers’ datasets.

In addition to focus groups, we should also pay attention to attack strategies.

• By clone phishing attacks the attacker does not target a specific person or organisation, but a group. The attacker creates a fake email that appears to be from a legitimate source, but the link in the email leads to a website where the victim's personal information may be exposed, or a ransomware virus may be installed on their device.
• In the case of phishing linked to ransomware, we receive a short message asking us to download an application linked in the message, for example, from a courier service, to receive a package, we have ordered previously. These viruses can also take complete control of your phone, stealing your passwords and credit card details.

Although, many phishing activities is done via email, it's good to know that other channels and online platforms are also being weaponized by cybercriminals:

• Social Media Phishing: social media platforms such as Facebook, LinkedIn, Twitter, Instagram are real hunting grounds for cybercriminals. On these platforms, we share a lot of information that can be quickly turned against us by unauthorised persons. They are also the best platforms for building large databases quickly. In 2021, after a huge data breach, more than 500 million Facebook users' phone numbers have been posted on the internet.
• Smishing, or phishing by SMS: a short message with a link asking you to download an app or visit a website.
• Vishing: The attacker calls us or sends a voice message, for example on behalf of your bank or internet service provider (ISP), to trick you to reveal personal information.

*

Few examples around the globe

To see the similarities between the scams, it is worth looking at a few reports of actual cases:

• The BBC reported last March that at one of the peaks of the bitcoin fever, a single user in Cologne lost more than $407,000 by falling for a Twitter scam in the name of Elon Musk.
• In May 2021, Colonial Pipeline’s IT system was hit by a ransomware attack. The criminals first collected a ransom of $4.4 million. However, the company suffered further damage during the week as panicked residents began buying up the remaining available petrol. The incident thus led to a further crisis of reputation and confidence. After the incident, the US Department of Justice, elevated ransomware attacks to same priority as terrorism.
• The Covid-19 pandemic has also made online ordering popular. The previous Christmas season also provided ideal conditions for phishing. In the run-up to the holidays, hackers sent out phishing messages and ransomware on behalf of several parcel delivery services. Attackers sent SMS and emails on behalf of Fedex, DHL, Amazon and UPS. A similar incident was reported by the German public TV here.

Three tips to protect yourself against phishing

1. Panic, haste, and greed are the worst advisors!
   Don't rush! Think twice about every click. And ask yourself the naivest questions possible.
2.  Don't overlook suspicious signs!
   Look carefully: Which email address is the sender writing from? Have we received emails or SMS from this address before? If the sender was indeed my colleague, why didn't she contact me personally or use another channel? Why is my bank calling from a hidden number? Who writes an email at 2am? Is this e-mail official, why is it not signed with the usual digital signature? Why would anyone offer such a good financial deal?
3. Be aware of your own emotions!
   Offensive messages and calls often put us in uncomfortable situations. Technical terminology that is difficult to understand for the average user can be frustrating, and embarrassing. Therefore, we may not even think about why we should act so quickly. But whose fault this level of miscommunication?

In situations of uncertainty, good questions to ask might include the followings: What does this discount say on my bank's website? Does this phone number match the one on my bank's website? Wouldn't it be better to ask in person tomorrow? If this update is so important, why was it not announced weeks ago? Is this update necessary, or should I call the administrator team?

It's important not to give out your personal details on the phone, for example, it is better to ask for a call back as a time delay! No late fee is more painful than losing control of your current account.

*

The slightest suspicion or uncertainty is better luck than being the victim of an attack. If you feel that your company needs data protection and information security trainings and technology solutions, please contact us.