Phishing is an I.T. term that distinguishes a set of techniques that seek to deceive a victim by gaining their trust by posing as a known person, company or service (trusted third party identity theft), to manipulate them and make them perform actions that you should not do (for example, reveal confidential information or click on a link).
To carry out the deception, social engineering is usually used, exploiting people's social instincts, such as helping or being efficient. Also by flattering the victim, exploiting their intrinsic vanity or need to be recognized, low self-esteem, or a job seeker. For example, sending emails or showing advertisements to the victim telling them that they have won a prize and to follow a link to receive it, those being false promises (bait).
Sometimes computer procedures that take advantage of vulnerabilities are also used. Usually the objective is to steal information, but other times it is to install malware, sabotage systems, or steal money through fraud. In this article, we will share what are the most common types of cheating out there and what you can do to avoid them.
What are the types of Phishing and their characteristics?
Phishing is one of the most common and well-known attacks on the internet, from the Nigerian prince having accounts blocked abroad for political reasons (anyone who used the internet in the 90s will know what we mean), to much more sophisticated versions in that the references to the people involved are real (among them names of real bankers) and that when searching for them in Google the results are "satisfactory".
But Phishing does not live only from the Nigerian prince, and over time new techniques and different types of attacks have been developed, below we will leave a list at your disposal with the most common ones.
- Deception phishing: Hackers try to impersonate legitimate companies or people in order to gain your trust. This type of email is usually more general, sparing in details and directed in an "industrial" way, looking for the largest possible number of victims without going into their details. The classic example would be the Nigerian prince we talked about earlier.
- Spear phishing: This type of phishing is personalized, its boom is partly due to Linkedin and professional social networks, where the information of companies and their workers are detailed, giving hackers very useful information when preparing emails with the appropriate trap and bait.
- Whaling: It is similar to spear phishing, only in this case and working with the fishing metaphors, it is aimed at high-value targets, such as executives, CEOs... basically the "whales" of the company.
- CEO Fraud: Generally carried out after a successful whaling attack (by having the CEO's credentials), they are usually carried out to collect the personal data of the company's workers, telephone numbers, bank details, etc., although they do not always use the CEO's account. CEO and just try to use his name from an account that doesn't even match to try to get the data of the less cautious.
- Catfishing: As surprising as it may seem, there are people who use social networks dedicated to flirting to impersonate other people and end up getting the credentials of the unwary who believe they are talking to a potential partner and in reality it is a hacker posing as the man or the woman of his dreams. In Deloitte in 2016 there was a case in which the security breach was attributed to that, below is a link where we can see the detailed history and como procurar protegernos del Catfishing.
In this article we can read a rather bizarre case sobre el Catfishing.
There are more examples such as clone phishing, which is based on taking an account and then copying and forwarding the messages but replacing the original links with malicious links. Through supposed leaked passwords, which require us to change the password of our accounts through the link they send us, but which are actually a copy of the original page where we wrote our credentials and thus are stolen, phishing by SMS and so on.
Subscribe to our newsletter.
Stay tuned to the best practices and strategies in e-commerce and grow the business as leading brand in your industry.
How to identify if an email is legitimate or Phishing?
There are several factors to take into account when it comes to identifying whether an email is a phishing attempt or not. It is quite common, especially in messages in Spanish, that the spelling is not taken care of and in some cases the translation shows that it was done in an online translator, making the message make little sense in some aspect, badly created phrases or in Strange verb tenses, in these more "crude" cases, the header probably begins with a generic greeting such as "Dear customer", instead of the recipient's name, or they may use part of our email address to use it as a name when greeting us.
Another important part is to look at the sender's address, even if we know the sender, we have to take into account what our usual communication with him is, especially in cases such as messages received from our CEO, or a colleague with whom we do not work closely . An important clue is when we are urged to click on a link and then we are asked for credentials of some kind. According to the SANS Institute 95% of attacks on company networks begin through phishing.
If the account is not known or we have even the slightest suspicion hat it might be phishing we will look at any URL they share with us, hackers create fake versions of legitimate sites with URLs that are very similar and urge you in their phishing messages to click on these links. We must be attentive to the links, since in case of a phishing attempt they usually have deliberate errors, either typographical (slightly incorrect versions of legitimate URLs) or spelling (when letters and characters with a similar appearance are used). Please read the links carefully before clicking on them.
- Some examples of links, original: https://www.paypal.com/
- Example of fake links: http://www.paypals.com, http://www.webpaypal.com, http://www.paipal.com
As we can see in the previous example , all the addresses are HTTP instead of HTTPS and that is another alarm signal since the HTTPS protocol prevents other users from intercepting the confidential information that is transferred between the client and the web server through Internet, therefore if the link in the email takes us to an HTTP page and asks us for any type of login or information, it is easily interceptable. This specific type of attack is usually used by saying that our email or bank account password has been stolen and will ask us to enter our credentials on a page whose protocol is not safe to steal them and use them for our own benefit.
Another very important characteristic of this type of email is their urgency, they ask us to quickly click on the links under premises such as that we are going to lose €20,000, that our card is going to be canceled for online purchases, etc. When it is widely known that companies give advance notice before cutting off our access to anything.
In the same way, if we receive a message from the bank in which they urge us to enter a link and when clicking on the link, it takes us to a page where they ask for our bank details in order to continue with the process (bearing in mind that the bank knows perfectly what our account and card is) we should be suspicious. What kind of company we work with asks us for data that they already have? One way to avoid this specific problem is, instead of using the link that comes in the email, we will connect to the website of our service provider and from there we will navigate to the point indicated in the email, thus ensuring the veracity of the site and if the problem is real.
There are tools that help us detect this type of email, for example: Phishing detector from Microsoft or this extension from Chrome to detect phishing on bank pages. Bitdefender in its mobile version detects fraudulent links in the SMS we receive, alerting us to their danger.
As we have seen throughout this article, Phishing can occur from a wide range of deception techniques. Knowing the different types and techniques that digital fraudsters use can help us both personally and at a business level, to keep us protected from any theft of sensitive information.
In addition to the use of tools that can help us detect the many types of electronic fraud that exist, if you have an e-commerce, you can also rely on a team of professionals specialized in cybersecurity, who have the knowledge to design a security strategy to suit your needs. measure, to help you minimize losses due to attacks and deception.
Technical Office Specialist at Orienteed.