What is… Phishing?
Phishing is a type of "social engineering" whereby criminals try to obtain, through deception, users' personal data (bank details, credit card numbers, passwords, account details and other types of information).
The "phisher" can ask for urgent confirmation or for you to send specific data. The people behind these scams have high levels of IT and technical skills and generally use mass mailing indiscriminately to reach thousands of recipients (Spamming). To reach as many potential victims as possible they use messages and offers which will appeal to the recipient. Their modus operandi is to redirect victims to false websites which appear similar to the authentic ones. These are normally on-line banking websites, social networks, e-mail accounts or similar, by using false e-mail, text and mobile messaging (WhatsApp, etc.) messages. Once on these pages the victim will introduce their bank details (to update the info, for example), to restore their log-in details (due to a server error), make any type of on-line transaction (where your personal details need to be checked) or simply to access a new service which offers the use some type of service or offer.
The links that these scams provide attempt to emulate the real website and will redirect you to another server which appears identical to the original but which is controlled by the cybercriminals.
Applications in this category which try to steal personal or banking details are classified as follows:
- Use of existing (real) company names: The cybercriminals use the corporate image and functionality of a real company's website.
- The use the name of a real employee of a real company to send out mass Phishing e-mails: In this case the victim should check that the person purporting to represent the company really exists.
- Apparently correct website addresses: The appearance of the scam e-mail will usually direct the reader to sites with a similar appearance to those of the real company but which are being used to steal information.
- Fear Factor: The fraudster requires an immediate reply form the recipient and these messages usually threaten some kind of loss - either financial or of the control of the account - if the reader does not follow the instructions provided. The scammer needs this rapid response so that by the time the company finds out that their clients are being scammed, they can switch the servers where their fake site is hosted as soon as possible.
- Man-in-the-middle: The cybercriminal gets between the user and the real website, acting as a proxy capable of listening in to the electronic communication between the two. They take advantage of vulnerabilities such as 'Cross-Site Scripting': simulating a secure site belonging to a bank. They take advantage of vulnerabilities in web browsers
Types of Phishing
- Website Phishing: This type of Phishing is linked to just one website where the content of the false page is stored. Pharming on redirection: This consists of redirecting the user of a trusted website to another false one which, at first glance appears identical, from where they can steal your personal or financial data. The user is automatically redirected to the fake banking page without needing to click on any link.
- Spear phishing: This type of scam is targeted at previously selected individuals or small groups who they have been following. They create a personalised e-mail account of a person or company that generates trust. This type of Phishing has the aim of collecting confidential information (i.e. trade secrets). The e-mail has an attachment which, when opened, gains access to your computer and all the data stored on it.
- Smishing: This type of Phishing is targeted at mobile messaging users. They may send messages claiming you have won a prize, that you have registered for a service, etc. To activate the offer you need to ring a number where they will ask for your bank details.
- Vishing: In this type of Phishing the cybercriminals ring numbers in a specific area. When the call is answered, a recorded message alerts the victim that their credit card has been used fraudulently and that they will need to ring another number. Then they will be asked for the 16 numbers of their credit card in order to "verify" it. This then allows the cybercriminal to make purchases and other fraudulent operations via phone or internet.
Risk Factors and Consequences
The main risk of this type of fraudulent activity is that the phisher obtains personal or banking information and can access your private information. The main forms of access are via the following information:
- Social Security Number
- Credit / Debit / ATM card number
- Bank account number
- Sign in and passwords for internet banking.
The cybercriminals are highly audacious at scamming people. One they get your personal information they can use it to commit a range of fraudulent activities:
- Replace the identity of one person to contract a mobile phone which will be charged for all calls made.
- Use a credit card number to make purchases on-line.
- Get goods in an illicit manner i.e. modify a banking system to divert small quantities of money to a ghost account.
- Modify programs using viruses, HDD faults, power cuts so that you lose the data stored on your computer: photos, films, music, work, documents, etc.
IT fraud is on the rise due to the vast numbers of computer users. This is of extreme importance to consumers as they are in constant danger of being attacked.
This project has been funded with support from the European Commission. This publication reflects the views only of the author, and the Commission cannot be held responsible for any use which may be made of the information contained therein.