4.5. Phishing techniques
Phishing – fraudulent activities designed to steal personal and / or other confidential information (e.g. identity data, passwords, payment card details, etc.).
Usually, the main goal of phishing is to get personal data and login credentials for online banking. User IDs, passwords and other credentials enable fraudsters to access individuals’ bank accounts and dispose of the funds held in those accounts remotely (e. g. by transferring these funds to their own bank accounts).
Data theft is carried out in two main ways:
- Contacting directly individuals and tricking them to reveal such information willingly;
- Using dedicated technologies that copy data from various websites or devices that are used to browse the internet and / or use remote services.
Most common type of phishing is so-called deceptive phishing.
In this case a fraudster impersonates a legitimate institution or company (e. g. governing agency, law enforcement agency, financial service provider, large well-known brand company, etc.) and addresses individuals directly with a request to fill in personal details. The same email or other type of message is sent to thousands of individuals hoping that some of them will respond to it.
Such messages usually request to be reacted very quickly, noting that there might be undesirable negative consequences if an individual does not respond in time (e.g. the institution will take legal actions, funds from the individual’s bank might be stolen, the prize will be awarded to another person and etc.).
Most often such messages might contain malicious links and / or other references to special sites asking individuals to enter the requested information there. As soon as an individual provides this information on such sites it becomes available to the fraudster.
More advanced fraudsters might exploit the session control mechanism and hijack the session of a legitimate site. When an individual logs into a web application, the server sets a temporary session cookie in his / her browser. Fraudsters might steal such session cookies or provide an individual with a link containing a prepared session ID prior he/ she enters into such an authentication session. These actions allow fraudsters later hijack the session by using the same session ID for their own browser session.
Phishing methods might also be used by creating fake e-shops or other sites. To make such sites more noticeable, fraudsters allure individuals with low prices, fast delivery of goods or other benefits. Various search engines are used in order to reach targeted audiences and direct it to such sites. Data is stolen while a targeted individual tries to register or buy the goods at such sites.
Fraudsters might take advantage of existing legitimate sites by altering an IP address so that it redirects to a fake site rather than the site an individual intended to go to.
Sending links or other references to files that are infected by certain viruses is also a very popular technique. Such files infect computers or other devices and might be programmed to ask to re-type passwords or other credentials while connecting to online banking or other remote services just for the purpose to transfer such information to fraudsters.
Firstly, it is important to understand and be aware that phishing and data thefts might take place anywhere, in any form and at any time, so you need to be constantly attentive and alert.
Secondly, take precautions to keep the devices you use safe:
- Use tools and software that help keep your computer or other device secure (antivirus programs, etc.). Download such tools or software only from official and trusted sources. Update these tools and software on time.
- Avoid visiting obscure and unreliable sites, register on or download files from such sites. Such sites may contain links or files that may infect your computer or other device with viruses that collect your personal data.
- After using your personal account log out of it and close the browser window.
- Choose secure and strong passwords which consist of numbers, letters and other symbols. Do not use easy-to-guess passwords (e.g. 12345, just your first or last name or date of birth). In case you have several different accounts, always use different passwords.
- When creating accounts or emails choose service providers that use two-factor authentication systems (e.g. a password and phone number).
Thirdly, note that legitimate institutions and service companies (e.g. banks or other financial services providers) do not request their clients to disclose their login passwords or other credentials. Such information is personal and only you are allowed to know it. If such information becomes known to third parties, you must immediately inform these service providers about these circumstances and change your passwords or other credentials.
Fourthly, if you receive a request for sensitive information, pay attention to these circumstances:
- The address of the sender. Check whether the details of the institution / company in email or other messages match the data published on their official websites or other public sources. Institutions / companies usually use their dedicated mailboxes instead of publicly available general mailboxes (e.g. @gmail.com, @yahoo.com, etc.).
- Text quality and content. Deceptive emails or messages often contain clerical or stylistic errors. The text might be translated literally without following the rules of that language (by using publicly available translation programs). The text may also use the household language, inaccurate names or legal forms of institutions or companies (e.g. a public authority may be referred to as a company). Reasons or other circumstances for contacting you may be described in a way that they could be adapted to any situation (e.g. allegedly the police department informs you that your login details to the banking services have been stolen and you need to change such login details immediately, but does not even name the bank).
- Links that are provided. Fraudulent links often contain a series of numbers or unfamiliar web addresses. If you aren’t sure a link is legitimate, don’t click it.
- Likelihood of getting the request or offer. You should assess whether you could have expected such a letter and whether it lines with the real facts or normal practice (e.g. you receive an email that you have won the lottery even though you have not participated in any lottery; you receive a message supposedly from your bank, even though it never sends messages that way).
If you have any doubts about an email or a message you received, contact the institution / company (that allegedly reached you) by its contact details publicly available on its official website or other reliable source.