Phishing (from the English fishing) is a set of techniques that attackers use to obtain personal information. Like regular fishermen who use a variety of methods to catch fish, cunning phishers also use a variety of methods to "hook" their prey. But one of those phishing tactics is the most common.
When phishing occurs, it is the user himself who provides the scammer with all the important information. The victim receives an email or text message from a sender posing as a person or organization whom they trust. When the recipient opens this email or message, they find a text urging them to go to a website and take certain actions immediately to avoid serious consequences.
An example of a common phishing scam:
1. Phishing to hack accounts or social networks.
The victim receives a notification of hacking asking them to follow a link and enter their details to protect their account. After that, the scammer blocks access to their prey's personal account and starts sending messages to the victim’s closest contacts about borrowing money or some such. This type of phishing is not limited to social networks. The victim may lose access to their crypto wallet with funds in it.
2. Phishing for banking information.
The most common example of this type of phishing is an alleged Nigerian prince who needs to withdraw money or a lost relative who offers to share an inheritance.
3. Clone phishing.
This is the worst type of attack where attackers copy a common message or website. For example, a client receives a letter from Sberbank with an account statement or a letter from PayPal/Amazon asking them to verify their account. The scammer substitutes the links or attachments in the email with malicious objects masquerading as legitimate ones. By clicking on a link or application, the victim gives the attacker access to their computer through malware.
Malware is a catch-all term for any type of malicious software designed to harm or exploit a programmable device, service, or network.
Malicious programs include any software that unauthorizedly penetrates computer equipment. Such applications cause direct or indirect damage, for example, they disrupt the computer operation, display additional advertising, or steal the user's personal data, down to SMS codes or codes for two-factor authentication.
How to avoid phishing and malware?
Always check the referral link carefully: rearranged letters in the site name are a clear indication of a fake page. Also, instead of replacing the URL in the browser, phishers may create another browser within the browser and manipulate anything in it — example. Links on fraudulent sites usually contain errors or link to third-party sources. Pay attention to the links themselves in the browser bar.
Before entering a login and password, check if the connection is protected by the "https:" protocol. Check the accuracy of the entered values in the forms, do not enter your personal data and bank card data for draws or other events. Even if a suspicious letter with a link or a request came from a family member, colleague or acquaintance, remember that her/his account may have been hacked.
Always check the name of the account and the presence of a phone number - in case of a full copy of the account. We are talking about accounts in applications/websites of banks, tax authorities, online stores, travel agencies, airlines, and so on. Check work accounts as they can be falsified based on typical features.
Mind the detailed design of web-sites, distinctive features in the design and the forms used.
A file sent by a playmate or a colleague may turn out to be a spyware or ransomware Trojan, as may email and message attachments.
If you receive a suspicious email, check whether the sender's email address matches their name. See whether the email is has been authenticated, and before clicking on the link, hover over it and pay attention to the address that will appear in the browser status bar. If the URL doesn't match the description in the email, the link may lead to a phishing site. Check the message headers to make sure the “From” line contains the correct name. If you receive an unexpected suspicious message, contact the sender in some alternative way to make sure they really sent it.
A few more tips
● Try to enable two-factor authentication on all existing accounts. This step can help if the master password has become known to hackers.
● Delete all obsolete and unused accounts.
● Regularly update passwords for email and corporate accounts.
● Don't use the same password too often.
● Respond immediately to even the slightest hint of suspicious activity: change passwords, block scammers, and conduct a deep antivirus scan.
What to do if you got caught nevertheless
Run an antivirus scan on your PC and smartphone.
Urgently change the stolen password for all accounts on which you use it.
Set up two-factor authentication.
If you accidentally provided your card details or the SMS code, call the bank, block the card, and check potentially dangerous transactions.