Phishing, the IT fraud par excellence

Today, e-mail is certainly one of the most relevant communication tools, both for companies and for individuals. Indeed, all our official or most important communications are carried out through email. Cyber criminals take advantage of this mean’s popularity to elevate their scams, both numerically and qualitatively, leveraging on a technique called Phishing.

What is Phishing?

Phishing is the most common cyber fraud technique. This term comes from the combination of two words: phreaking, the word by which the first online scams were defined, and fishing. Criminals deceive you through a deceptive email, just like fishermen deceive fish with bait, and they do it disguising as institutions, financial, insurance companies and so on. Phishing is therefore a very simple type of cyber-attack, yet it is also the most dangerous and effective.

The ability of these scams to succeed lies precisely in exploiting the misinformation or poor knowledge that most users have on the subject. With just a little information, however, anyone can escape the most common and trivial scams.

How it can manifest: Massive phishing and Spear phishing

Most phishing attacks are spread spamming messages massively and indiscriminately.

Phishing tends to affect a large number of people, typically using a low level of complexity in the messages content, a classic and basic example: “WOW! You won 1 million euros, CLICK HERE”.

However, cyber criminals have also achieved a more evolved level and are often able to craft messages with very specific content, tailored on the targeted victim.

These more sophisticated messages with ultra-customized content obviously detain a higher level of success: this evolved technique is called spear phishing, a fraud aimed at an organization or a specific person, making it more difficult to spot the scam.

The purposes of these attacks are typically two: obtaining money or accessing to confidential financial, industrial, state, or military secrets.

An example of spear phishing: an user email inbox gets monitored and spied on constantly and hackers get to know that the subject is about to leave for a business trip. At this point the scam is ready to kick in: the user receives an email that seems to arrive from his/her usual travel company, in the message the user is requested to urgently provide some basic personal data that seem to miss from the booking and essential for its confirmation. Fearing the travel cancellation, it is extremely likely that the victim would hurry to provide sensitive data without hesitating and thinking too much about it.

A new phishing tool: deepfake

Deepfake can be defined as an evolution of fake news, disseminated with the help of more sophisticated video and audio tools. Indeed, by processing videos and audio of real people, who often have a role of institutional or managerial power, hackers build scams that are almost impossible to avoid. For example a fake but well camouflaged voice message that a member of a company’s management sends to the staff, inviting them to click on the file received by email, can truly make the difference in a phishing or spear-phishing campaign making it way more credible and therefore way more effective.

VoIP phishing or vishing

Vishing is that specific phishing attack mode that leverages fraudulent phone communication. Telephone communication allows the criminal both to hide and interact with the victim more directly than via email. Vishing takes advantage of persuasion techniques and the less time the interlocutor has to rationalize and process the information received. An example of this is a fake banner that invites users to call the indicated help desk number, to speed up the solution of a certain disservice. At that point it will be easier for the cyber-criminal to obtain sensitive data.

How to protect yourself from Cyber Attacks
  1. The first thing to do is to check the sender of the email before clicking on any link or attachment.
  2. You have to check if the link shown will really lead you to the Internet address shown. You can check this easily by hovering your pointer on the link itself without clicking. You can also copy and paste the link into the bar where you enter the browser address.
  3. You should only use secure connections and avoid public wi-fi, that don’t feature a password protection service.
  4. When you use sites that contain sensitive information, such as online banking or social media, you should check that the connection is secure (the “apparently safe” sites scams) and always verify the domain name when opening a page.

Do not share your sensitive data since official companies never ever ask for such information via email.