First, they gain trust. Then, they gain unauthorized access. All it takes is a few seconds to be phished
By Raja TN, Co-Founder & CTO of ClearTrust
$3.2 million were lost in 2022 due to phishing emails. For businesses, emails are one of the most common ways of deceiving employees into revealing confidential information like usernames, passwords, online banking details, etc.
It is high time we start understanding this term known as ‘phishing’ as businesses are not the only ones susceptible to such attacks anymore. As technology takes over our daily lives faster than ever before, the bad actors (fraudsters) have grown in numbers and so have the ways in which these attacks are incorporated.
Currently, the medium in trend is text messages through which the bad actors send a seemingly genuine message asking the users to clear an outstanding amount on their electricity or credit card bills. They are further pushed by giving a deadline supported by a strong subsequent action that would be taken if they fail to clear the dues, like blocking of card or cutting off the electricity.
There are several mediums through which these frauds can be executed. Let us understand them in detail.
Mediums used for phishing attacks
Technically termed as ‘spear phishing,’ it is a highly personalized and targeted fraud. After researching on platforms like LinkedIn and Facebook as well as using machine using algorithm to scan massive amounts of data, the fraudsters first gather a list of employees working in an organization. Post that, they draft a highly personalized email and send it across along with some malicious links attached.
When such mails reach the employees’ inbox, they are bound to open it given the seemingly personalization factor. They may be asked to click on the links to complete a survey form or open a password-protected document by supplying their user logins and other work-related credentials. Once done, they are redirected to a fake page and a malware is installed on their device that grants access to various confidential documents and other data on the employee’s device.
In case of stolen information like passwords, fraudsters commit credential stuffing attacks i.e., using stolen credentials to attempt logins to unrelated services.
Apart from employees, the top management of an organization can also be exposed to such attacks through emails. In sever cases, the patents and financial information of the company can also be compromised if the attack is highly sophisticated.
- Text Message
As discussed before, text message is the most used medium currently. It works well for the fraudsters as people with little or no knowledge of the source of a genuine message fall into the trap and usually end up compromising their details. Through text message, the message is sent to large number of people at the same time without any personalization. Like spear phishing, these messages consist of malware attached links that redirects the recipient to a fake webpage asking them to clear certain outstanding payments by providing personal details.
You may wonder how these messages sent from fake or unidentified numbers do not catch the attention of the user. This is due to the lack of knowledge about the short codes used by brands and government agencies while sending periodical updates and offers.
For example, if you have an account with SBI, the short codes used by the bank are SBIBNK, SBIINB, SBIPSG, SBYONO etc. In case of a fake message, the code might be slightly tweaked such as SBBNK, SBIJD, etc.
- Phone Calls
An attack executed through phone calls is known as ‘vishing’. The term originates from voice phishing which means phishing attacks using voice. It is natural for a user to be tricked easily when they are told that their bank account or any other digital asset or utility service shall be temporarily blocked due to certain reasons. More than the reason, the focus shifts to immediate efforts that they must take to ensure that they are out of the radar of experiencing an account suspension or a similar unpleasant action. This is where their painful nerve is gently pressed by the fraudsters.
In a typical banking phishing scam, an imposter/fraudster disguises himself/herself as a bank representative and calls a customer. Initially, a few details about the customers are verbally disclosed such as name, date of birth, etc. to win their trust. Post that, the customers are prompted to disclose confidential information such as bank account number, CVV number, OTPs, ATM Pins etc. by citing security reasons such as blocking an unauthorized transaction, payment initiated to avoid a penalty, availing an upgraded card service, etc. Once the credentials are obtained, the fraudsters may execute multiple transactions through online shopping etc. by using such details.
As we decode the amount of sophistication involved in executing these frauds, the above-mentioned mediums and red flags are things we must be aware of. Apart from this, any message/email which asks for your confidential information or creates a sense of urgency must be dealt with patience. In case of banks, always approach the customer service on receiving such messages before providing any sensitive details.