Phishing – a kind of cyberfraud when fraudsters force the victim to provide the information they need using social engineering.
This attack scheme resembles the process of fishing. Fraudster throws "bait" to user who voluntarily provides all the necessary information, then fraudsters use the data for their own purposes.
- tech-savvy fraudsters. Using spam, malicious Web sites, emails and instant messages fishers entice users' sensitive information such as bank accounts or credit card numbers.
According to types of using resources, phishing is divided into:
- Mail (sending emails)
- Online (copy of pages of Internet banking)
The basis of e-mail phishing is the use of viruses, Trojans, or "worms", as well as technologies for cheating spam filters installed on a user's computer. In addition, fraudsters can send messages to user supposedly from the Bank or a world trade service. Scammers also use a fake address bar. Presumably during the mass attack using e-mail phishing, victims open 3% of the messages and 8 from 100 thousand people give phishers confidential information or install malicious software that allows attackers to gain access to this information.
With online phishing, genuine online banking webpage is replaced on fraudulent. It is ver difficult to distinguish fraud page from its original, because pages faces are the same. The user opens the dummy page and enters his confidential data (login and password). From this point his data becomes compromised and accessible to fraudsters. Criminals can enter user's personal account and dispose funds on their own.
Combined phishing - when both methods are used: a fake online banking page and an informational message to attract potential victims. With help of social engineering, criminals offer users to perform operations themselves. On behalf of the Bank they write to victims the advertising letters about new attractive banking products. As one of the options they may offer to transfer funds from user's account opened by the Bank on the deposit account with attractive interest rates. After the fraudulent operation, the main goal achieved - data with login and password are in the hands of fraudsters.
The most common navigation links to phishing sites come in the form:
- an important message (eg, a bank) with a warning about blocked or need to re-issue cards
- urgent upgrade of the operating system / application / online-games
- profitable promotion that is “carried out only today” and to “participate in it should be immediate"
- The message about the gift or benefit (for example, online casino or lottery)
- proposals to respond to the questionnaire and receive a gift
- appeal to the customer impersonal (eg "Dear Customer"), disturbing tone of the letter, warning about the occurrence of problems (for example, "losses") if the customer does not provide the required information
There is a variety of phishing, which include:
Vishing (vishing = voice + phishing) - voice phishing. With this method uses the Auto Technology (wardialer) and opportunities of Internet telephony (VoIP). As a rule, the client receives a message requesting a call back to the bank by a specified phone number. It is obvious that this phone number is a direct connection to the scammers. And the pleasant voice on the answering machine begins to confuse the client, ending the conversation asking you to enter the necessary data on the phone keypad.
SMS phishing (smishing = sms + phishing). This kind of phishing using the SMS messages that contain a link to a phishing site or a motivation for potential victims to go to a fake site. There is also an option when the user is prompted to send the necessary sensitive data in the sms-message to attackers.
Pharming – a type of phishing which consists in automatically redirecting users to fake sites. In this case, there is a deliberate replacement DNS addresses (Domain Name System) and the victim is redirected to a specially created by cyberfraudsters webpage to collect confidential information. This mechanism is very similar to a virus infection. Malicious software can contain multiple links to bank institutions webpages. As a result, when user tries to go to an genuine site he opens a fake clone resource.
To minimize the risks of becoming a victim of phishing users need to learn a few rules:
- Learn how to identify suspicious phishing emails. About that, in what form they come (important / urgent message, a letter of the gift / lottery winnings..) you can read above.
- Always check the source of information. Bank institution or any other company never send customers a request for confidential information (passwords, PIN codes, credit card data). Do not reply to these letters.
- Do not go to the website of your bank on the links of the letters. As a result of this action, you can be on a fake site. It is best to save the URL of official website of the Bank in the bookmark or manually typing URL in address bar.
- Timely raise the security level of your computer. Protect your computer with a good anti-virus capable of blocking the attack data. We also recommend that you always install the latest updates for your operating system and Web browser.
- Enter your confidential information on secure Web sites only. To find out whether a given Web site "safe", check the address bar in your browser. If the site address begins with «https: //», and next to it shows a closed padlock icon, the site is secure.
- Periodically check your account. It never hurts to periodically check your bank accounts, social networking accounts, and other private accounts, where can be linked your bank card, not to miss any suspicious activity in your online transactions.
- Learn about the development of malware and online fraud. Forewarned is forearmed! We advise you to be aware of the latest malware attacks, recommendation or advice to avoid any dangers on the Internet.