Phishing is one of the oldest cybersecurity scams and often one of the first steps in a complex, multi-stage attack. For instance, 67% of IT teams in India associate phishing with emails that falsely claim to be from a legitimate organization, and which are usually combined with a threat or request for information. According to a report on global security, India generates the maximum number of spam and phishing emails across the Asia Region.
What’s the approach
Phishing attacks often begin with email, text messages, even phone calls. The message will be simple, often in the form of an announcement, like a problem with a payment, a security breach, or suspension of benefits or services. If the target is a company or organization, the scammer may seem unassuming, even respectable. For example, some scammers will claim to be a new employee, IT technician, or researcher. They may even produce some credentials or other information to support their claim.
If the attack is broader, the message may appear to originate from a well-known brand, a trusted company or a non-profit organization. For example, common phishing scams have themes like a credit card company or other financial institution, a charity or a political organization.
Scammers also take advantage of current events and certain times of the year, such as:
- Natural disasters (e.g., Fires, Earthquake, etc.)
- Epidemics and health scares (e.g., H1N1, COVID-19)
- Economic concerns (e.g., Scams)
- Major political elections
Simple phishing scams take a spray and pray approach, hitting thousands of potential victims all at the same time with identical spoof messages. Some of these campaigns also spoof websites where the primary trap is laid. These campaigns have gotten upgrades in appearance. Although they are easiest to detect among phishing campaigns, we fall to them when we’re rushing around and don’t pay close enough attention.
Some scammers go a step further by picking a target then attacking with a sophisticated social engineering script. The goal is to gain trust and approval from a chain of victims. For instance, the scammer may start with a spoofed email address of known colleagues or executives. If the scammer can’t get enough information from one source, they’ll move on to another within the same organization. Finally, they increase credibility by adding information gleaned from the previous victim as they probe for more data. Within 20-30 minutes, the scammer may have enough information to piece together what they need to infiltrate highly sensitive networks and computers.
While the basic pattern is much the same as the first phishing campaigns, the scammers have added new twists with both the script and the payoff. At one point, rather than steal just passwords and credit card information, some scammers led their victims to all sorts of malware: Trojans, spyware, adware, rootkits, worms, keyloggers — all of them costly and destructive for the victim.
Lately, ransomware has become vogue with scammers encrypting computers and whole networks — for a much bigger payoff at the end. In addition, with rising cryptocurrency values, scammers also want to enslave some of your computing power for crypto mining.
Around 50,035 cases of cybercrime were reported in 2020 across major cities of India. This is an increase of nearly 12 per cent over the previous year as reported by the National Crime Records Bureau (NCRB).
At the ground level, every second person is being targeted by a cyber fraudster. The actual cyber fraud is much higher and sadly this Covid pandemic has turned cyber fraud as a cottage industry.
Avoid being a victim. Here’s how:
The first and probably the most important rule is for us to be constantly vigilant. Raise your awareness when you get an unsolicited phone call or receive unexpected messages. Watch for unusual requests about employees or other internal information. Withhold all information and rely on better judgment before divulging ANY info.
Remember that the phish is all about squeezing information from you: refuse to give it to them. Instead, make a personal commitment to your cybersecurity. For instance:
- Do not click links on email or text – even from trusted individuals.
- Do not download ANYTHING that comes from an email or text message you did not expect; and
- DO authenticate URLs, sender’s identity, and company identity. Often, a simple phone call from your own device will do the trick.
What to do if you are a victim of the phish
Everyone makes a mistake. The goal of this article (and the whole reason for Cybersecurity Awareness campaigns) is to help you avoid common traps. But even experts fall victim from time to time. If you think that you have tripped into a phishing scam, your response depends on your situation.
- Contain the damage by contacting financial institutions for any accounts you may have exposed. Change your password. If you reuse the same password for multiple resources, change them all.
- Isolate the damage by moving quickly. You should be well protected with an advanced threat protection service. If not, isolate the computer or device that you think is infected. Disconnect it from home or office network – wired and Wi-Fi). Treat any nearby devices as suspect and disconnect them as well.
- Verify the infection. Understand the threat you face. Several online services can help you identify the type of malware and give you some options for removal and repair.
- Report the incident. If you believe you have revealed sensitive information about your organization, report it as soon as possible. Inform network administrators so that they can raise the alert for other suspicious activities. When you confirm a ransomware attack, report it to law enforcement so they can add to their investigations and search for the criminals.