Identity theft for the sake of stealing someone’s money (or not) is a very real crime. Bringing fraudsters to justice is an intense exercise that requires the international collaboration of investigators and bank officials.
Having a sophisticated AI that tracks suspicious account activities to protect your money is only the second step. Avoiding phishing and scams is a matter of proactive attitude towards the risks, which naturally includes education as the first step.
At iCard, we believe that working together with you is the most optimal recipe for cracking down on malicious actors who aim to ruin our excellent reputation and steal your money.
We compiled this informative guide to show you how to best stay protected – what to do and what to avoid.
What is phishing exactly?
The main goal of phishing (fishing) is to trick people into revealing information that can be used for monetary gains (and damage). It is a malicious attempt to hook you into revealing personal information that can be used by hackers to steal your identity or money. In most forms described below, it is an attempted computer scam that aims at collecting personal information such as 16-digit debit card number, expiry date, date of birth, national insurance number, a password for online banking and so on.
Tactics behind phishing attacks
Scammers cast their nets or shoot their spears at small fish, big fish and even whales. Whatever the catch, they are happy to rip it off.
Targeted phishing attacks
The first step usually involves gaining your trust via an unsolicited message. To do that, scammers may pose as someone you know – your financial institution, phone company, tech support, your boss, etc. Watch out for unexpected messages that request private information in order to solve a technical problem for you.
Mass scale phishing scams
Going mass scale requires the same amount of precision, not targeting a specific person, but people with similar interests. These tactics usually include a close of a real and trusted page, such as Gmail, PayPal, Amazon or a banking website. Getting the malicious links to people can work via many channels, including hijacking search results.
The 9 types of phishing
Phishing attacks differ, based on method, target and channel. Let’s explore all:
Email phishing
This is the most common type of phishing because it’s simple and cheap to execute on a mass scale. It attempts, as usual, to gain your trust and reveal financial or personal information that will be sufficient for purchasing things with your debit/credit card, take out loans in your name or transfer money out of your bank account. How? The email message may come from a spoofed email address that makes it appear as if it is coming from a recognized person. This email may contain any sort of urgency, like a suspicious transaction with a link to a replica website, where you enter and reveal your username and password.
Vishing (VoIP + Phishing)
Going beyond email, con-artists may target people by phone. Spoofing a phone number is super easy, so you need to be very careful. The fraudster can call and present him or herself as someone you trust – your bank, your internet provider, your phone company, etc. The effort usually aims at having you reveal personal information such as account number, a password, even ask you about your last few transactions on a given debit card – any information that can be used maliciously to access your finances.
Smishing = SMS + Phishing
Similar to Vishing, smishing is an attack launched via the potential victim’s phone number. It aims to extract valuable information, not by social engineering in a conversation, but like any other method that uses fake links. A fraudulent text message definitely comes with an element of urgency and a request to take action. Taking action would require that you click a link, which will, of course, try to infect your phone with malware. In any case – do not follow the link prior to inspecting it. If you are unsure what to do, call the sender and let them know what is happening.
Spear phishing
This, as the name implies, is precision phishing. A prerequisite is that the hacker already has collected a lot of specific information about the victim, e.g. position in a company, full name, even the names of current business partners. The aim can be various, like infecting the victim’s computer with malware and gaining access to a corporate network. The scammer sends a very customized email, carefully embedding the information that is already known, tricking the unsuspecting person to believe that the email is coming from a trustworthy source. Be very careful for fake URLs and email attachments that can contain a virus. This precision attack targets both companies and individuals to steal big amounts of money or leak sensitive information.
Domain spoofing
This is a common variety of phishing where the hacker sends people to a fake domain name with a very similar sequence of characters, e.g. mybusiness.com and mybusinesss.com. Notice the difference? This tactic is used to impersonate the company and trick employees or customers into providing sensitive information.
Clone phishing
The name of this tactic reveals it all – it is an attempt at phishing private information by perfectly replicating an email. This is an upgrade to standard email spoofing, which historically included a lot of typos, bad grammar and other signals for fraud. The clone phishing can target employees and customers of a business. The perfect resemblance of the cloned email replica is very good at accomplishing an attack.
Whale phishing
Whaling or CEO fraud, as you may have guessed already, are attacks that target high-profile individuals like directors, vice presidents, CFO, COO or any other senior executive. It’s very similar to spear phishing, except the target is a big whale, not small fish. In this case, big does not mean easy to catch. Scammers take many months of researching these VIP personas – their contacts, schedules and sources – anything that can be used to target with precise information. Aiming at big targets means that a successful attack can be a huge loss for the company.
Search engine phishing
This is a new and very sophisticated phishing method that aims to gain your trust by taking over google search results. It may be a company that offers fantastic deals, that require your payment information. It may be a job search website that requires you to enter all your personal information, including your national insurance number. Another way for fraudsters to take advantage is to invest a very long time to optimize a fake bank website, then offer you amazing account or card deals that, of course, take all your private information without providing the service.
Search engines, to a great extent, are able to catch these and prevent them, but you should always be aware of the possibility because even ads on google can be malicious and for example send you to a cloned version of your bank login page.
Watering hole phishing
This sort of phishing attack involves observing the behaviour patterns of the target and more precisely – the websites they visit. The next step involves targeting one of the websites that the potential victim regularly visits. It needs to be a less-secure website that can be infected with malware. The attacker then waits for a re-visit to the now malicious webpage to start the attack on the victim’s computer or phone and extract the needed personal information.
Phishing leads to DATA BREACHES
Here are some phishing and fraudulent email statistics for 2019 (source retruster)
- Phishing accounts for 90% of data breaches
- The average financial loss of a data breach is $3.86 million (IBM)
- 15% of people who have undergone phishing will be targeted at least once more within the year
- Business email compromise (BEC) scams resulted in losses of over $12 billion (FBI)
- Phishing attempts have grown 65% in the past year
- Around 1.5 million new phishing sites are created every month (Webroot)
- 76% of companies said they have been subjected to a phishing attack in the past year
- 30% of phishing messages are opened by targeted users (Verizon)
Knowing this should definitely switch your defence on.
How to stay protected from phishing?
Due to the technical nature of phishing attacks, hackers are thought to be some sort of geniuses that are just better prepared to scam us, than we are to stay protected. It’s just wrong. Here is what you can do to avoid becoming a victim:
- Double and triple check URLs before clicking any suspicious or unknown links
- Do not open suspicious short links and emails
- Change your passwords often
- Educate yourself by reading articles like this or train your employees if you are a business owner or a manager
- Check for secured websites – the padlock that is visible on HTTPS sites. Keep in mind that this is not always a perfect indicator of a website’s legitimacy.
- Keep your antivirus software, windows, android or any other system – up-to-date.
- Never install software from unknown sources
- Use 2-factor authentication whenever possible
- Trust your guts
- Report phishing attacks and scams to the relevant participants – affected businesses and authorities
How to protect your money?
As you know, protecting your money is our top priority here at iCard. For this reason, we’ve prepared another read that you should definitely go over, so you can be aware of the SIM swap scam. It’s one of the possible next steps for hackers, should you unconsciously become a victim of a phishing attack.
There are many other ways you can get scammed online. Be proactive and well-informed, in order to avoid financial loss and time wasted resolving issues.
One last piece of advice: Freeze your iCard debit cards with a tap after each use!