A recent survey conducted by NordVPN highlighted how around 50% of Europens have received a phishing message. One in 10 people admitted to having fallen into the trap and having given credence to the scam, suffering the consequences.
The phishing attacks They come in different forms, but they all have a common goal: to induce users to disclose personal or confidential information such as login credentials, account data, online account details, personal details and so on.
What phishing attacks are and how they can occur
As we anticipated in the introduction, phishing attacks are fraudulent attempts that aim to obtain information from other people: usernames, passwords and financial details. The attackers they simulate a legitimate communication by reliable entities. The goal is to steal the trust of the victim, preventing doubts from arising regarding the dangerousness and illegitimacy of the message received.
Usually, criminals who develop campagne phishing they try to design them in such a way that the messages closely resemble the style and “personalizations” of communications coming from the most well-known realities.
The quiz to recognize online scams, developed by Jigsaw-Google, is an excellent gym that we suggest you try your hand at. It helps test your skills in successfully discovering the messaggi phishingeven the best constructed ones, distinguishing them from legitimate communications.
The most attractive targets for cyber criminals
Some of the realities most targeted by phishers it’s banks not financial institutions: Criminals try to gain financial information and access to users’ accounts. Technological companies are also very popular online service providersas they can store a large amount of information about users, including their personal data.
Then there are the platforms e-commerce, with online payment sites among the common targets: they handle financial information and credit card details. Government institutions, healthcare organizations and medical service providers are not excluded from the action of cybercriminals, i social media and a wide range of online platforms, universities and other educational institutions.
Some examples of phishing: fake emails and sites
The most common example are email di phishing, fake email messages that scammers send trying to “mimic” the communication methods of companies and institutions. The objective is to persuade the victim to visit a web page created “ad hoc” and induce him to enter his data and his credentials. Attackers can also attack malicious fileswhich once opened infect the user’s device.
Attackers create counterfeit websites, which imitate legitimate pages and try to leak personal data and confidential information. To defend yourself, it is essential to have a clear understanding of the URL structure or what the architecture of the URLs is addresses that appear in the browser bar.
Let’s take a very simple example. Regardless of whether there is a reference to the HTTPS protocol, securelogin.poste.it it is evidently a legitimate URL that refers to Poste Europene; poste.italiane.loginsicuro.xyz it is instead a phishing site. The domain name real is the first one read proceeding from right to left, starting from the TLD (for example .it, .com, .xyz,…). In our fictional example, loginsicuro.xyz it evidently has no correlation with Poste Europene and should be avoided like the plague.
The use of Less common TLDsoften helps attackers to imitate the names and brands of famous companies: we also talk about it in the article in which we see how the new .zip and .mov domains are also used for online scams.
Smishing, vishing and social engineering
Phishing attempts are also increasingly widespread on platforms instant messaging but, much more, they materialize in the form of SMS. Smishing, or receiving fraudulent SMS messages inviting you to provide personal information or click on malicious links, is increasingly commonplace.
Also the phishing by phone (vishing) has seen a real explosion: in this case, attackers can pretend to be in charge of banks and financial institutions, using social engineering to obtain strictly personal information from victims.
The psychological manipulationwhich leverages persuasive approaches or real threats (such as a fanciful imminent closure of an account), is one of the favorite levers of cyber criminals.
Spear phishing e Whaling
Rather than sending large-scale email campaigns or scam messages, some phisher they prefer to hit “the bigger fish” directly. Is called Spear phishing the most targeted form of attack. In this case, the criminal searches for specific information about the potential victim, studies their interests, work and private life to then create and send an even more convincing message (because personalized). The spear phishing it is generally exploited to target executives or high profile people.
Il WhalingFinally, it targets high-level executives or individuals in positions of power within a company. These attack methodologies often exploit a sense of urgency or of fear to push the victim to take an immediate action, including transferring money or sharing data that should instead be kept secret.
What to do if you have fallen into the phishing trap
The “numbers” shared by NordVPN are disarming: 7% of Europens receive at least one phishing message a day; 72% have been phished via email, 59% have received a phishing SMS on their phone and around a third have received a phishing message on a messaging platform (such as WhatsApp, Messenger,…).
Almost a tenth (7%) of Europens affected by a phishing attack have lost money or your login credentials (username, password).
If you had unfortunately given personal information to an attacker, for example by filling out a form present on a fake website, the first thing to do is to act calmly but, at the same time, with the utmost determination. Below we provide some effective tips to quickly get out of trouble and avoid any risk.
Change the login password
If you have guiltily provided extremely important data such as access credentials to any online service, the first thing to do is change your password. In this regard, it is worth remembering that it is always important to choose and set a secure password, making sure not to use the same one to access other platforms.
In fact, cyber criminals usually try the same credentials on multiple platforms, leveraging the fact that many users continue not to differentiate their login credentials. In general, passwords should be complex, unique, and difficult to guess.
Turn on two-factor authentication (2FA)
Enabling two-factor authentication is an essential tool for protect yourself effectively from phishing attacks. This is a security mechanism that adds an extra layer of protection. With 2FAIn fact, a second form of authentication is required, such as a fingerprint or a unique password.
Even if the cyber criminal has in his hands the correct password to access a certain online service, he will not be able to complete the login precisely because each access must be expressly approved by user (e.g. by authenticating via smartphone, entering an OTP code, using a physical token, etc.).
…