Digital Fraud, Data Leakage

Phishing: The Complete Guide to Protecting Your Clients

By TheHack.com.br on
SHARE

The underworld of digital threats is constantly expanding. You just need to read the headlines to see that every day a new scam is created, or some unprecedented malware is circulating throughout the Internet. However, phishing still accounts for the majority of cyber incidents, inside or outside of companies. After all, it’s designed to attack the weakest link in the security chain: the human being.

And that is exactly why phishing remains at the top of corporate concerns when it comes to digital security. In addition to being effective from the criminal’s point of view, it can cause extremely high financial losses and irreversible damage to the company’s image. Suffice it to say that, according to the 2019 Verizon Data Breach Investigations Report, phishing was responsible for one-third of all data leaks in 2018.

However, many of us forget to look at the other side of the coin. Not only can this criminal practice inflict financial damage on your corporate environment, but it can also damage your brand’s image as it harms your customers. After all, how can you be sure that your clients will not be tricked by fraudsters trying to impersonate your company? How can you be sure that they will not access a fake version of your website and give criminals their sensitive information?

 

The origin of the “fishery”


Phishing was born in the ‘90s and the term was created by criminals who, during that era, used a tool known as AOHell to steal credentials from America Online (AOL) users. Those accounts—which would nearly always be accompanied by credit card numbers—were later negotiated and exchanged for hacking software or pirated programs.

Using AOHell, the scammers impersonated AOL employees and requested the victims’ passwords, generally under the pretext of “verifying your account” or “updating billing details.” Since such snares were uncommon at the time, the criminals were invariably successful.

The “fad” took hold, and many criminals started to use the technique outside of AOL to obtain precious information and harm unwary Internet users. Today, phishing is one of the most egregious problems for the global digital security market. In 2018, over one million reports of emails or messages with malicious content were registered around the world.

 

Old but effective phishing tricks


First, let’s understand that though phishing has evolved plenty over recent years, this type of scam is still easily recognized by some of its basic characteristics:


It contains errors

Cybercriminals are not editors, designers or publicists. Therefore, fake pages or malicious emails naturally have graphic and grammatical errors that expose their true nature.


It has a sense of urgency

The scammer doesn’t want the victim to think too much before they download a file or click on a link. That being the case, he will persuade the target to do so as quickly as possible, alleging that there is a deadline for resolving a situation, or some such thing.

 

It has a threatening tone

To emphasize speed, phishing emails usually get hold of the consumer’s weak spot, and threaten them with some negative consequence.


As an example that embodies all these characteristics, we can imagine a fake bank notification that gives you some incentive to visit a fake page, under the pretext of updating your registration information. In that case, the criminal would probably tell the Internet user that he must complete this task within a few hours or his account will be closed.

Let’s not forget to mention the scams that use the financial factor to convince victims. With virtual stores and e-commerce, for example, criminals often develop fake email marketing, alleging a sale that must not be missed—to steal your credit card number when you think you are purchasing a product.

 

Several ways to deceive


There are several ways for a criminal to abuse your brand in order to attack your clients. One of the most common ones is cybersquatting—the practice of registering a domain similar to yours. It’s done using homoglyphs, repeated characters, transpositions or domains different from the original address. Once a scammer registers a malicious URL, he can send emails that look like yours and host a fake website, waiting for some consumer to fall for the trick.

Another very common problem is the issue of fake social network profiles. The architecture of those platforms—Facebook, Twitter, Instagram, etc.,—greatly facilitates the work of any criminal interested in simulating a page using your brand and deceiving unwary Internet users by promoting fake sales and spreading malicious links. It’s no coincidence that Facebook removed 2.2 billion fake accounts in just the first quarter of 2019.

 

How can this be avoided?


We’re speaking here of the principle of brand reputation. Allowing your clients to become phishing victims affects your digital presence, damaging the image your target audience has of you. Fake pages, similar domains, fake social network profiles and malicious emails sent out in your name can diminish your company’s credibility in the market, creating a general sense of mistrust.

(EN)The Hack - Axur Infográfico 12


Therein lies the importance of investing in monitoring for your brand. Using solutions specific to these objectives, such as Digital Fraud Discovery, you can be notified whenever someone uses any of your intellectual property in an inappropriate manner—even including quotes on social networks. That makes it easier to identify malicious campaigns and order the removal of potentially fraudulent content even before it has a chance to reach an Internet user.

It’s also crucial to maintain a good client education and communication plan, notifying your public whenever it becomes necessary. Have you identified a series of texting scams? Let them know that your company does not request password verification by that method, and advise them, for example, to ignore such messages. What’s important is to demonstrate to the market that your brand is concerned with Internet users’ security. That will inevitably cause you to win their trust.

event-image

ESPECIALISTA CONVIDADO

Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware

AUTHOR

TheHack.com.br

We are journalists, but we are also hackers - we aim to solving problems by analyzing them in a creative way and by making different manners of using the tools that we have.