iCard BlogiCard BlogiCard BlogiCard Blog
  • Go to iCard.com
  • English
    • English
    • български
    • Italiano
    • Română
Next Previous

Learn How These 9 Phishing Attacks Work

Pavel Panayotov Pavel Panayotov 22 April, 2020
How to stay protected from phishing

Identity theft for the sake of stealing someone’s money (or not) is a very real crime. Bringing fraudsters to justice is an intense exercise that requires the international collaboration of investigators and bank officials. 

Having a sophisticated AI that tracks suspicious account activities to protect your money is only the second step. Avoiding phishing and scams is a matter of proactive attitude towards the risks, which naturally includes education as the first step. 

At iCard, we believe that working together with you is the most optimal recipe for cracking down on malicious actors who aim to ruin our excellent reputation and steal your money.

We compiled this informative guide to show you how to best stay protected – what to do and what to avoid. 


What is phishing exactly?

What is phishing


The main goal of phishing (fishing) is to trick people into revealing information that can be used for monetary gains (and damage). It is a malicious attempt to hook you into revealing personal information that can be used by hackers to steal your identity or money. In most forms described below, it is an attempted computer scam that aims at collecting personal information such as 16-digit debit card number, expiry date, date of birth, national insurance number, a password for online banking and so on.


Tactics behind phishing attacks

Avoiding hackers phishing tactics


Scammers cast their nets or shoot their spears at small fish, big fish and even whales. Whatever the catch, they are happy to rip it off. 

Targeted phishing attacks

The first step usually involves gaining your trust via an unsolicited message. To do that, scammers may pose as someone you know – your financial institution, phone company, tech support, your boss, etc. Watch out for unexpected messages that request private information in order to solve a technical problem for you. 

Mass scale phishing scams

Going mass scale requires the same amount of precision, not targeting a specific person, but people with similar interests. These tactics usually include a close of a real and trusted page, such as Gmail, PayPal, Amazon or a banking website. Getting the malicious links to people can work via many channels, including hijacking search results.


The 9 types of phishing

Phishing attacks differ, based on method, target and channel. Let’s explore all:


Email phishing

This is the most common type of phishing because it’s simple and cheap to execute on a mass scale. It attempts, as usual, to gain your trust and reveal financial or personal information that will be sufficient for purchasing things with your debit/credit card, take out loans in your name or transfer money out of your bank account. How? The email message may come from a spoofed email address that makes it appear as if it is coming from a recognized person. This email may contain any sort of urgency, like a suspicious transaction with a link to a replica website, where you enter and reveal your username and password.


Vishing (VoIP + Phishing)

vishing attack

Going beyond email, con-artists may target people by phone. Spoofing a phone number is super easy, so you need to be very careful. The fraudster can call and present him or herself as someone you trust – your bank, your internet provider, your phone company, etc. The effort usually aims at having you reveal personal information such as account number, a password, even ask you about your last few transactions on a given debit card – any information that can be used maliciously to access your finances.


Smishing = SMS + Phishing

smishing attack

Similar to Vishing, smishing is an attack launched via the potential victim’s phone number. It aims to extract valuable information, not by social engineering in a conversation, but like any other method that uses fake links. A fraudulent text message definitely comes with an element of urgency and a request to take action. Taking action would require that you click a link, which will, of course, try to infect your phone with malware. In any case – do not follow the link prior to inspecting it. If you are unsure what to do, call the sender and let them know what is happening.


Spear phishing

spear phishing

This, as the name implies, is precision phishing. A prerequisite is that the hacker already has collected a lot of specific information about the victim, e.g. position in a company, full name, even the names of current business partners. The aim can be various, like infecting the victim’s computer with malware and gaining access to a corporate network. The scammer sends a very customized email, carefully embedding the information that is already known, tricking the unsuspecting person to believe that the email is coming from a trustworthy source. Be very careful for fake URLs and email attachments that can contain a virus. This precision attack targets both companies and individuals to steal big amounts of money or leak sensitive information.


Domain spoofing

domain spoofing

This is a common variety of phishing where the hacker sends people to a fake domain name with a very similar sequence of characters, e.g. mybusiness.com and mybusinesss.com. Notice the difference?  This tactic is used to impersonate the company and trick employees or customers into providing sensitive information.


Clone phishing

clone phishing

The name of this tactic reveals it all – it is an attempt at phishing private information by perfectly replicating an email. This is an upgrade to standard email spoofing, which historically included a lot of typos, bad grammar and other signals for fraud. The clone phishing can target employees and customers of a business. The perfect resemblance of the cloned email replica is very good at accomplishing an attack.


Whale phishing

whale phishing

Whaling or CEO fraud, as you may have guessed already, are attacks that target high-profile individuals like directors, vice presidents, CFO, COO or any other senior executive. It’s very similar to spear phishing, except the target is a big whale, not small fish. In this case, big does not mean easy to catch. Scammers take many months of researching these VIP personas – their contacts, schedules and sources – anything that can be used to target with precise information. Aiming at big targets means that a successful attack can be a huge loss for the company.


Search engine phishing

search engine phishing

This is a new and very sophisticated phishing method that aims to gain your trust by taking over google search results. It may be a company that offers fantastic deals, that require your payment information. It may be a job search website that requires you to enter all your personal information, including your national insurance number. Another way for fraudsters to take advantage is to invest a very long time to optimize a fake bank website, then offer you amazing account or card deals that, of course, take all your private information without providing the service. 

Search engines, to a great extent, are able to catch these and prevent them, but you should always be aware of the possibility because even ads on google can be malicious and for example send you to a cloned version of your bank login page.


Watering hole phishing

Watering hole phishing

This sort of phishing attack involves observing the behaviour patterns of the target and more precisely – the websites they visit. The next step involves targeting one of the websites that the potential victim regularly visits. It needs to be a less-secure website that can be infected with malware. The attacker then waits for a re-visit to the now malicious webpage to start the attack on the victim’s computer or phone and extract the needed personal information.


Phishing leads to DATA BREACHES

Here are some phishing and fraudulent email statistics for 2019 (source retruster)

  • Phishing accounts for 90% of data breaches
  • The average financial loss of a data breach is $3.86 million (IBM)
  • 15% of people who have undergone phishing will be targeted at least once more within the year
  • Business email compromise (BEC) scams resulted in losses of over $12 billion (FBI)
  • Phishing attempts have grown 65% in the past year
  • Around 1.5 million new phishing sites are created every month (Webroot)
  • 76% of companies said they have been subjected to a phishing attack in the past year
  • 30% of phishing messages are opened by targeted users (Verizon)

Knowing this should definitely switch your defence on.


How to stay protected from phishing?

Stay protected from phishing


Due to the technical nature of phishing attacks, hackers are thought to be some sort of geniuses that are just better prepared to scam us, than we are to stay protected. It’s just wrong. Here is what you can do to avoid becoming a victim:

  • Double and triple check URLs before clicking any suspicious or unknown links
  • Do not open suspicious short links and emails
  • Change your passwords often
  • Educate yourself by reading articles like this or train your employees if you are a business owner or a manager
  • Check for secured websites – the padlock that is visible on HTTPS sites. Keep in mind that this is not always a perfect indicator of a website’s legitimacy. 
  • Keep your antivirus software, windows, android or any other system – up-to-date.
  • Never install software from unknown sources
  • Use 2-factor authentication whenever possible
  • Trust your guts
  • Report phishing attacks and scams to the relevant participants – affected businesses and authorities


How to protect your money?

As you know, protecting your money is our top priority here at iCard. For this reason, we’ve prepared another read that you should definitely go over, so you can be aware of the SIM swap scam. It’s one of the possible next steps for hackers, should you unconsciously become a victim of a phishing attack. 

There are many other ways you can get scammed online. Be proactive and well-informed, in order to avoid financial loss and time wasted resolving issues. 

One last piece of advice: Freeze your iCard debit cards with a tap after each use!


Looking for a top-rated and secure money app?
Download iCard and open an account on your phone:

4
Pavel Panayotov

Pavel Panayotov

As a Communication Manager, Pavel is engaged with creating user journeys and presenting iCard to the world. Contributions include education, activation and engagement strategies, as well as unified cross-channel product and brand awareness campaigns. In his free time, Pavel enjoys keeping up with innovations, marketing trends, friends, family and nature.

More posts by Pavel Panayotov

Leave a Comment

Cancel reply

Your email address will not be published. Required fields are marked *

  • You may also like

    Hello and Welcome to the iCard Blog!

    Read now

  • You may also like

    A Little Bit of Inspiration from iCard at InnoWave 2018

    Read now

  • You may also like

    Business Breakfast with iCard – Do Digital Wallets Have a Future in Bulgaria?

    Read now

  • You may also like

    How Virtual Cards Help You Stay Safe When Shopping Online?

    Read now

  • You may also like

    How SEPA vs SWIFT International Money Transfers Work Behind The Scenes

    Read now

  • You may also like

    The Ultimate Guide to Turning Money Into The Perfect Gift for Every Occasion

    Read now

  • You may also like

    Chat With Friends & Make Contactless Payments With e-GiftCards in iCard 5.0 – December wallet update

    Read now

  • You may also like

    7 of The Most Interesting and Sometimes Controversial New Year’s Eve Traditions Around The World

    Read now
Copyright © iCard AD 2020 | All Rights Reserved | Privacy Policy
  • Privacy Policy
iCard Blog

This website uses cookies to provide you the best user experience. To find out more about cookies, read our cookie policy.

logo
Cookie settings
We use "cookies" when you visit our website to provide you the best user experience. We give you the full opportunity to choose what information you would like to share with us, and you can control this by using the buttons on the right side of the page.
Necessary Cookies

These cookies are required in order to allow you to move throughout the website and use its functionalities, such as accessing secure areas of the website. Without these cookies the services you have applied for cannot be provided. These cookies are activated when you visit our website and remain active for the duration of your visit. These cookies allow us to provide you our service.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

Statistical cookies

These cookies collect information about how you as a visitor use our website. For instance, which pages visitors go to most often and if they get error messages from web pages. This data in aggregate form is used to improve our websites and apps. This data is also used to identify whether customers may have specific interests needs based on pages they have visited within our websites/apps. These cookies allow us to provide you our service better.

Please enable Strictly Necessary Cookies first so that we can save your preferences!

Cookie Policy
What are cookies?

We use “cookies” and other technologies when you visit or use our websites or mobile apps. In this document you may find more information and details on about the cookies and the similar technologies as well as how to control them.
General information on cookies can be found here: http://www.allaboutcookies.org/

Use of Cookies
Our websites (including mobile) use cookies and similar technologies, which you can control in accordance with the present policy and the functionality of the websites. This policy applies additionally to any other Legal agreement, terms and conditions or contract provision for the iCard service being used by you. If you do not accept the use of cookies, please disable them by using the control panel (which loads when opening the websites).

Can I withdraw my consent (where applicable) to the use of cookies and similar technologies?
If you no longer consent to the use of consent-based cookies and similar technologies, please delete the cookies via your browser settings or use the control panel (which loads when opening the websites) . There is a brief instruction further in the policy below and you can find further information on deleting and blocking cookies here: http://www.aboutcookies.org/how-todeletecookies/

What are cookies and similar technologies?
Cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to keep re-entering them, whenever you come back to the site or browse from one page to another. Cookies are generated by the server of the visited website when the browser of your device loads it. The website sends information to the browser and creates a text file. Each time the user returns to the same website, the browser extracts this text file and sends it to the website’s server. The information that the cookie contains is specified by the server and may be used by the latter when the website is visited again by the user.
We use cookies to achieve different tasks such as like letting you navigate between pages efficiently and easily, remembering your preferences and generally improving your experience when browsing. We also use them to ensure that any ads you see on our websites or mobile apps and ads of other third-parties are more focused to you and your interests.
We also use similar technologies such as ‘pixel tags’ and ‘JavaScript’ to undertake these tasks. Pixel tags and JavaScript are tiny graphics files that contain a unique identifier that enable us to recognize when someone has our websites or mobile apps. This allows us, for example, to monitor the traffic patterns of users from one page within our websites or mobile apps to another, to provide or communicate with cookies, to understand whether you have come to our websites or mobile apps from via online advertisement displayed on a third-party website, to improve site performance.
If you visit our websites or mobile apps, we will deploy cookies and similar technologies to design an online service more suitable for your device, as well as to prevent and detect fraud. When you visit our website from any device we collect information about your use of the particular website, such as information about the device or browser you use to access the site (including device type, operating system, screen resolution, etc.), the way you interact with this site, and the IP address your device connects from. In many cases, the above said technologies are relying on cookies to function properly, and so declining cookies will impair their functioning, which means that you may not be able to exercise some activities within our secure online services unless these cookies or similar technologies are installed. Additionally, there might be a chance that we may not be able to process certain transactions if you are physically located in certain countries.
Cookies set by us are referred to as "first party cookies". Cookies deployed by parties other than us are called "third-party cookies". Third party cookies enable third party features or functionality to be displayed on or through the website/app. The parties that set these third-party cookies can recognize your computer both when it visits the website in question and also when it visits certain other websites.
We may not influence or control over third-party cookies. If you would like to find out more about the types of cookies which may be downloaded as a result, please visit the website of the third-party provider to do so.

Types of cookie inserted
There are different types of cookies which are usually split into the following categories, but note that not all these types will be used on our website or mobile app:

Necessary cookies
These cookies are required in order to allow you to move throughout the website and use its functionalities, such as accessing secure areas of the website. Without these cookies the services you have applied for cannot be provided. These cookies are activated when you visit our website and remain active for the duration of your visit. These cookies allow us to provide you our service. The use of these cookies is based on the legal basis of providing you access to our website and therefore are always active

Statistical cookies/Third-party cookies
These cookies collect information about how you as a visitor use our website. For instance, which pages visitors go to most often and if they get error messages from web pages. This data in aggregate form is used to improve our websites. This data is also used to identify whether customers may have specific interests needs based on pages they have visited within our websites. These cookies allow us to provide you our service better and are therefore based on our legitimate interests.

Functionality cookies
These cookies allow our website to remember choices you make and provide high level of personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you are allowed to customize. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites. These cookies memorize your preferences in order to provide you with the full functionalities of our website, and are therefore based on our contractual obligations towards you.

Cookies in Emails
We use cookies and similar technology in some of our emails which contain hyperlinks, each of which has a unique tag. They help us to understand a little bit about how you interact with our emails, and are used to improve our future email communications to you. If you click on links contained in this email it will allow us to track your use of our website and enable us to show content and offers of most interest to you.
These cookies are based on our legitimate interests for optimizing our marketing, promotion and similar activities.
If you do not wish to accept cookies from any one of our emails, simply close the email before downloading any images or clicking on any links. You can also set your browser to restrict cookies or to reject them entirely. These settings will apply to all cookies whether included on websites or in emails.
If you have configured your computer to automatically display images, or if you have added us to your email "address book" (or "safe senders" list), or if you have configured your computer to have "weak" security, cookies might be set at the same time as you download, open or read an email from us. If you would prefer for this not to happen, you should disable the automatic displaying of images, or remove us from your address book or strengthen your security settings.

How to control and delete cookies through your browser
The ability to disable or delete cookies can also be carried out by changing your browser’s settings. In order to do this, follow the instructions provided by your browser (usually found in the ‘Help’, ‘Edit’ or ‘Tools’ facility). Some pages may not work if you completely disable all cookies, but many third-party cookies can be safely blocked. If you do switch off cookies at a browser level, your device won't be able to accept cookies from any website. This means you will struggle to access the secure area of any website you use and you won't enjoy the best browsing experience when you are online.

Types of Cookies used for iCard website:
Below is a list of the types of cookies and similar technologies that we use in our website and mobile application along with instruction as to how they may be disabled.
Complete list with cookies can be found here:

Name Expiration Description Category
__cfduid 5 years Cookie assoiated with sites using CloudFlare, used to speed up page load times. According to CloudFlare it is used to override any security restrictions based on the IP address the visitor is coming from. It does not contain any user identification information. Necessary
_ym_isad 2 days Determines whether a user has ad blockers Statistical
_ym_uid 1 year Used for identifying site users
_ym_d Stores the date of the user's first site session
yandexuid Used for identifying site users
i
yabs-sid Until the session ends Session ID
yp 10 years Sets a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
_gaexp Depends on the length of the experiment but typically 90 days. Used to record a person’s involvement in a website experiment e.g. an A/B test where half of our website users see one webpage, and the other half see an alternative version.
This helps us test that the changes we make to our site are actually making it better.		 Statistical
_gcl_au 3 months Used by Google AdSense for experimenting with advertisement efficiency across websites using their services.
ajs_anonymous_id 1 year These cookies are generally used for Analytics and help count how many people visit a certain site by tracking if you have visited before.
ajs_group_id These cookies track visitor usage and events within the website.
ajs_user_id This cookie helps track visitor usage, events, target marketing, and can also measure application performance and stability.
hubspotutk 13 months This cookie is used to keep track of a visitor's identity. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.
intercom-id 24 hours This cookie is used by Intercom as a session so that users can continue a chat as they move through the site. Statistical
intercom-session Used to distinguish users
mp_hj_mixpanel 1 year Third-party cookies used to track visitors and collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. No personally identifiable information is stored. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the website from, and the pages they visited. Statistical
fuid01 These cookies compile anonymous information on users’ browsing on the website in order to know the origin of the visits and other similar statistical data. These cookies do not identify the user or compile any type of personal information. Statistical
IDE 2 years Google also use one or more cookies for advertising we serve across the web. One of the main advertising cookies on non-Google sites is named ‘IDE‘ and is stored in browsers under the domain doubleclick.net. Another is stored in google.com and is called ANID. We use other cookies with names such as DSID, FLC, AID, TAID, and exchange_uid. Other Google properties, like YouTube, may also use these cookies to show you more relevant ads. Statistical
_ga_gat 3 months These cookies are used to collect information about how visitors use our Site. We use the information to compile reports and to help us improve the Site. The cookies collect information in an anonymous form, including the number of visitors to the Site, where visitors have come to the Site from and the pages they visited. If you do not allow these cookies we will not be able to include your visit in our statistics. You can read the full Google Analytics privacy policy at: http://www.google.com/policies/privacy/.
_gid
1P_JAR
APISID
DV
HSID
NID
SAPISID
SID
SIDCC
SSID
UULE
__hssrc Session Website usage statistics
__hstc 2 years Website usage statistics
muc 2 years Used to facilitate Twitter functionality on our website and to:
- track user behaviour
- deliver and measure the performance of advertising
- enable sign-in
- personalise the Twitter experience across devices.		 Statistical
ads_prefs
auth_token
csrf_same_site
csrf_same_site_set
dnt
eu_cn
external_referer
guest_id
kdt
personalization_id
remember_checked_on
tfw_exp
twid
act 3 months You have a Facebook account, these cookies will allow you to share content on the Inflectra site with your Facebook contacts. You will be also able to tell if you or your Facebook friends 'Liked' any content on the Inflectra site in the past. The cookies will also send some non personal data to Facebook to gather aggregate information on how people interact with websites that use the Like button. Statistical
c_user
datr
fr
locale
pl
presence
sb
spin
wd
xs