Data phishing: How to counter the most common type of scam

Phishing is one of the most common types of cyber threats that poses a serious danger to information security of both individuals and businesses. Despite the fact that scammers are constantly improving their attacks, it is phishing that is still one of the most sought after methods to get on to others’ assets. Therefore we are going to look into this interesting phenomenon today — we will discuss what phishing is and what its goals and methods are. And most importantly, we will find out how to protect yourself against it.

In information security, phishing (from the word “fishing”) is a type of cyber fraud in which attackers masquerade as reputable sources in an attempt to access private data. The main goal of phishing is to deceive users and capture their personal data, such as passwords, credit card numbers, details of bank accounts, crypto wallets, crypto exchange accounts, etc.

Phishing dates back several decades and is associated with the development of the Internet and e-commerce technology. Let’s look at the milestones in its history, through which this method of scam became more and more sophisticated.

1. The 1990s — The emergence of phishing. It was then that the question what phishing means in terms of information security first came up. The term came into use in the early 1990s when scammers masqueraded as legitimate entities in email communications, aiming to lure users to fake websites to steal their data. Back then, phishing attacks most often took the form of bulk spam emails asking for personal data or inviting to click on malicious links.
2. The 2000s — The development of technology and spread of the phishing threat. In this period, phishing grew more advanced and sophisticated. Fraudsters began to create more realistic fraudulent websites and emails using attack automation tools. Victims grew in numbers due to the rising popularity of the Internet and online banking. Attackers began to target corporations, banks, government agencies, and other large organizations.
3. The 2010s — Phishing as a security threat continues to evolve. Scammers switched from bulk spamming to more targeted attacks, using social engineering techniques and pre-written phishing messages to get access to specific organizations or individuals. With the increasing popularity of mobile devices and social media, phishing attacks via mobile applications and social media began to be actively used.
4. The 2020s — Constant development of phishing and personal data theft. The improvement of phishing protection technology forces fraudsters to adapt continuously and find more sophisticated ways to deceive users. So new types of phishing emerge, such as cryptocurrency scams and attacks on smart contracts. Given all this, large companies and government agencies continuously enhance their security measures and train personnel to detect and prevent dangerous phishing attacks. At the same time, users are becoming increasingly aware of the threat and exercise more vigilance when online. Nevertheless, damages from phishing have been and continue to be enormous.

The goals pursued by phishing scammers vary and depend on their specific objectives.

The basic motives include stealing personal data that the attackers can use to commit financial fraud, open false accounts, get loans, shop online on behalf of the victim, and take other illegal actions. Therefore phishing is a source of threat that needs to be taken seriously.

Next comes financial fraud. Phishing can be intended to yield financial gain by deceiving users and organizations. In simple words, scammers seek to steal the victim’s assets through requesting their banking details, passwords for online banking services, bank card and crypto wallet data, and other financial information. Once in possession of this data, they make illegal transactions, transfer money from the victim’s accounts, shop online on their behalf, etc.

Another type of information security threat posed by phishing is access to corporate resources. Scammers may seek to get on your corporate systems and databases to use them for extortion, theft of intellectual property, selling proprietary data to competitors or on the black market.

The distribution of malware such as Trojan horses, spyware and adware, is no less rare. All this is done to have further control over victims, steal data or use it in botnets.

Thus, absolutely everyone needs to be aware of what phishing is in the context of information security and how it is used by criminals, because theoretically, anyone can become a victim.

We have discussed the threats phishing poses. Now, let’s see how they work exactly.

1. Email. An old but still one of the most common methods of phishing: scammers send victims emails that look like legitimate letters from banks, large corporations, government agencies or other reliable organizations. These may request to update account credentials, confirm information, make a payment or take any other action that requires clicking on a malicious link.
2. Fake websites. Scammers create websites that look legitimate but are actually designed to steal personal data. These may mimic authentication pages of banks, online stores, payment systems, crypto exchanges or other services.
3. Social media and messengers. Absolutely all of users of these services are potential victims — those for whom phishing is a threat. Attackers compromise real accounts or create fake ones to distribute phishing links and malicious files. These attacks may also involve distributing fake invitations, messages or publications with malicious links.
4. Mobile apps. Cybercriminals use fake mobile applications or embed components into genuine software to steal personal information. These apps can get access to sensitive data and send phishing messages.

So, depending on the data phishing scammers want to steal, every Internet user should always stay as much alert and attentive as possible.

It follows naturally from all of the above that as an information security threat, phishing can cause really huge financial and reputational damages. Therefore it is extremely important to know how you can protect yourself. So, here are the basic rules:

• Carefully check email sender’s addresses and avoid clicking on attachments or links from suspicious emails.
• Always check site URLs, use secure connections (HTTPS), and activate spam filters and antivirus software with phishing site blocking.
• Stay alert when interacting on social networks using messages and requests, limit access to your personal data in public profiles, use two-factor authentication.
• Install apps from official and trusted sources only, prohibit downloads from unknown sources, update your operating system on a regular basis.
• And most importantly, always be vigilant and attentive, spare no time to make sure no threats are there if you don’t want to be another scam victim.

So, online security and phishing are incompatible. But most interestingly, actions of scammers are often not particularly sophisticated. Very often, people become victims due to being careless and neglecting the simple security rules that we described above. Once you start following them, the risk of suffering from phishing attacks is immediately minimized.

But what if you have already suffered? What if digital assets from your crypto wallet or exchange account have been stolen by phishing? Of course, you can try and collect evidence of the attack on your own and go to the police. But if this doesn’t work or you don’t want to deal with fraudsters on your own, we are always ready to help you as part of our Cryptocurrency Incident Investigation service.

We have all the necessary expertise to help you get your money back with the maximum probability of success. You can also contact us for a comprehensive security audit in order to avoid losses from phishing or other attacks. We will examine your information infrastructure thoroughly to find any security vulnerabilities and help eliminate them.

Below are several stories about high-profile phishing attacks to convince you that all the words said above are not just mere words.

In 2016, hackers carried out a phishing attack on Hillary Clinton’s campaign during the US presidential race. They used emails to get access to her employees’ email boxes and disclosed sensitive insider information, resulting in serious negative implications.

PayPal also encountered phishing in the context of information security. For years, the company has been a target for phishing attacks. Scammers send fake emails under the guise of its employees and ask for users’ personal data, such as passwords and credit card numbers. Usually, these attacks mimic official PayPal notifications and often even end up with a theft of money from user accounts.

In 2017, a large-scale phishing attack affected users of Google Docs. Fraudsters sent them fake emails asking to open a document. By clicking the link, users got to a page requesting access to their Google account. This case showed that even the largest companies can be hit.

The Bitfinex Hack in 2016 was one of the largest phishing attacks in the cryptocurrency domain. It resulted in the theft of more than 120 thousand bitcoins (worth $72 million then) from users of Bitfinex, a large crypto currency exchange. Emails with fake links that looked like official notifications from Bitfinex were sent to victims, asking them to follow the link and enter their credentials.

To summarize, let’s note that despite the seemingly simple nature of phishing, it still remains at the forefront among criminal attacks on individuals and businesses. Therefore, exploring how it works and strictly following the rules to counter it are an absolute must for everyone who wants to protect their reputation and assets.