Phishing is an attack technique in which a cybercriminal creates a fraudulent copy of a page in a social network or of an email and contacts the user to ask them to share their personal information such as their password, card number, etc.
Through an email, for example, the victim is told to provide that information to update the database of the alleged entity, comply with a new regulation or to obtain a supposed benefit.
Currently there are different ways in which a phishing attack can be carried out:
- SMS: Also called ‘smishing’, it is based on the sending of a message where personal data or a specific action is requested.
- Telephone call: The issuer poses as a private or public entity for the victim to provide their private data.
- Website or pop-up window: This is often used. The site visually simulates the image of an official entity, company, etc., seeming to be the official one. The objective is for users to provide their personal information while believing that they only access their official account. However, this data is sent to the cybercriminal who can use it for their own benefit.
- Email: It is the most used and best known. It is based on receiving an email where cybercriminals simulate an entity they want to impersonate to obtain user data. The data is supposedly requested for reasons of security, maintenance of the entity, to improve its service or other excuse, or for the user to provide any data. A link that directs the user to a false page is usually included. The information provided on that fake website is sent directly to the scammer, so they can then use it fraudulently: stealing money, making purchases, etc.
- Instant messaging: WhatsApp is a good example. A message is sent with a link through which the user is invited to click to obtain an alleged prize.
- Social networks: This is the most successful one. Through social networks, any type of events or links can be sent. After clicking on them, a form which has to be filled out appears, or, in other cases, the link redirects the user to a website infected with a virus, thus allowing the cybercriminal to control their device. The most attacked social networks are usually Facebook, Twitter or Instagram.
Facebook, the king of phishing
The cybersecurity firm Kaspersky claims that 60% of phishing in social networks was related to fake Facebook pages throughout the first quarter of this year, as recorded in the latest report from the cybersecurity company.
The social network leads this ranking ahead of the Russian service VK and LinkedIn, possibly due to the 2,100 million monthly users it has and the ease of accessing other applications through the profile on Facebook.
According to the report, the main objective of cybercriminals is to obtain information such as names, password or credit card number.
Social networks interest criminals due to the number of potential victims they can find in them, but also because they are an ecosystem prone to the distribution of viruses and fraud. The constant exchange of information (messages, links and files) and the false sense of security when receiving them from known contacts opens many opportunities for criminals to exploit social engineering.
How could you not trust what a friend or relative sends you?
The criminals, aware of this reality, decide to use their efforts to create false accounts, messages, pages, phishings, malicious applications, etc. for these platforms.
GDPR: the perfect occasion
Over the past few months, many phishing attempts have arisen linked to the new regulation for the protection of personal data (GDPR) that came into force in Europe on May 25.
Given the obligation of some brands to request the express consent of the users to comply with the new regulation, users receive an invitation to download a file or to log on to a site where they will be shown how the new regulations will work.
In other cases they are asked to access a link to give their consent and thus ensure that they can continue to use the service after applying the GDPR.
However these types of notifications have been sent already before the implementation of the GDPR. Only with the excuse of changing or updating the Terms and Conditions of any web platform, it is possible to attract new victims:
Basics to avoid getting trapped in the net
Some of the recommendations to avoid being a victim of phishing are the following:
- Do not click on any link that appears in an email and redirects to a supposed site that asks you to confirm personal information. It is better to write the address of the official site of the entity in the browser.
- Avoid downloading any attached document, especially if it is an executable (.exe format). Before doing this, it is suggested to communicate directly with the entity that is sending the information and verify with them if the message is real or not.
- Use a secure Wi-Fi connection and password. It is better to avoid connecting to public Wi-Fi networks because they can be easily compromised.
- Never provide confidential information on sites that do not have secure encryption (must include HTTPS in the URL that is seen in the browser).
- Avoid sharing confidential data by message, WhatsApp or mail.
- Use double authentication factor when accessing email and social networks. This can serve as protection in case the cybercriminal possesses the password because the system will ask for a second form of verification to enter the mail, for example, by sending a code to your mobile phone.
And what if it’s too late?
Normally, each platform or social network offers a mechanism to report false profiles of both companies and individuals.
Facebook also offers different options when reporting false profiles. Within the profile itself, by selecting the ellipsis, we can denounce or block the person themselves.
But Facebook also offers a wide page with information on how to proceed with complaints related to inappropriate content, profiles, spam, etc., through the following link.
Another of the most popular networks is Instagram, which, like Facebook or Twitter, also offers mechanisms for reporting identity theft, abusive behavior and spam, harassment or guidance on how to block people.
In case of acts constituting a crime, we must inform the National Fraud & Cyber Crime Reporting Centre, and for this we must provide all kinds of data, information and evidence.
With these recommendations and clarifications on how to report phishing attacks we can avoid and reduce the impact of these cyber incidents.
Latest posts by Marta Arana (see all)
- Phishing in social networks: do not trust your friends - August 29, 2018
- How does A.I affect the world economy? - May 7, 2018
- Mr Robot: cyber security lessons at home and from the sofa - April 11, 2018