CLOUDY podcast | #05 If it were really serious, I definitely wouldn't have just received an email.
So what is phishing?
It is some kind of fraudulent behavior on the Internet with the aim of obtaining personal, sensitive or valuable data. In general, these are emails and basically the whole idea is that the attacker creates some kind of bait that looks real and its purpose is to obtain sensitive information. And the one who falls for such phishing is like that little fish.
Very often and often we encounter that in emails attackers impersonate various organizations such as the post office, bank and the attackers want to add data, e.g. in the style of: "You have received a shipment, we still need payment...", this also includes emails that say: "your grandfather died somewhere far away and left you some wealth"..., that is also phishing. The range of scenarios is large.
A fraudulent email is not about trying to exploit some technological vulnerability. A phishing email is a legitimate email that has arrived, but the content itself uses social engineering techniques, that is, it somehow tries to affect our psychology and how we function as human beings.
Most phishing emails try to create a sense of urgency. "Pay by the next day so you don't miss out on the shipment." or "Change your password now because the link expires in 24 hours."... The sense of urgency is one of the social engineering techniques.
I have never seen an email that if I didn't act right now, something terrible would happen. It wouldn't have come to me by email. It's a good idea to measure twice, cut once. You need to distance yourself from such a message and verify the information through an alternative channel.
What does phishing involve? What are its levels?
As I see it, there are three levels of phishing. The first is a kind of "elementary school". The email "You won.." or the email with the inheritance... There is broken Slovak, bad formatting, scattered images... you simply know at first glance that it is phishing.
Then there is the second level - "high school". These are already targeted attacks on the company. It does not have to be on the whole, but for example on the HR department, marketing, finance department. A tailor-made scenario is created and the attacker sends the email to specific departments. Even the formatting, images, spelling are right, the email looks more trustworthy.
The third level - "college" is aimed at specific people, mostly senior management, that is, the so-called "whales" of the company - that is why it is called "whaling". These are entire campaigns where attackers create fake companies that are registered, communicate legally in advance, create fake profiles, block numbers, etc. It is a team of people who manage the whole thing. Of course, this requires a lot of effort.
How to recognize phishing when it is really well done?
This can be a problem even for experienced users. First of all, you need to realize that all the technical measures can be set correctly, but the end user is important. He must be cautious. In the end, the human factor is decisive.
Anyway, the basic way to recognize phishing is to notice elements in the email such as spelling, formatting, impersonal addresses (dear user, dear sir, etc.), a sense of urgency to perform some action (click, open, download, pay) or notice what the address from which the email came looks like (subtle typos in the name of the bank, etc.). Or links - you need to move the cursor over the link before clicking to see if it is really a relevant link.
Can phishing have a goal other than obtaining data, e.g. for a payment card?
Phishing is often not the primary goal. Of course, there are phishing attacks whose goal is to obtain this very sensitive data, but the goal of phishing can also be to “open the door” to the company’s infrastructure. To find the error and then offer this “door” to someone else.
If I realized that I made a mistake and entered the data, what should I do?
The first step is to contact the bank, for example. Ask to reset the password, stop the payment, freeze the account. It is possible that the payment can still be stopped. Or then resolve the situation through the police.
Can we somehow express how successful such a phishing campaign can be?
As for success, phishing has a very low success rate. Maybe a few percent. It should be remembered that sending email messages is very cheap. We are talking about tens, maybe hundreds of euros.
But scammers know how to send that email to a large number of people and of course, the majority of those people won't respond, they'll throw away the email, that's a known fact... But there's always a percentage that responds, enters the payment details, and that's usually enough for the attackers to make a profit on a global scale.
What did I do wrong if I receive a phishing email?
The mistake could have been completely trivial, that I am on some forum, for example on LinkedIn, and I have my email address published there. There are real crawlers in the public space that collect these addresses from the Internet.
The second possibility is that I did not make the mistake, but, for example, I was shopping on some website, and someone stole the data from that company.
Where else can this lead? What awaits us in the future?
The campaigns that target us will be more sophisticated, so it is as if that high school will also move among ordinary users.
You can listen to the entire podcast on SPOTIFY or watch it on YouTube.