Phishing attacks, the bad cop in the growth of digitization

09th January 2023
Phishing attacks, the bad cop in the growth of digitization

By Raja TN, Co-Founder & CTO, ClearTrust
January 9, 2023: Digitization has proved to be a boon for floating new companies and developing innovative solutions around the persisting problems. But what happens when digitization starts creating disadvantages for the same beneficiaries of the solutions?
This is where we switch to a term which is in wide circulation presently. In layman’s language we call these disadvantages as online fraud/phishing attacks. Phishing refers to any form of fraudulent communication committed with an objective of causing financial distress by robbing off a person. These attacks play with the mindset of an individual by creating sense of urgency to avail a benefit and influences the person to reveal confidential information like bank account details, credit card numbers, ATM card pin etc. Once this information has been compromised, the fraudsters use it to carry out multiple frauds.
A phishing attack can be carried out by resorting to multiple modes of communication like text messages, emails etc. An access to data relating to the mail ID of the victims, phone numbers etc. is obtained by employing complex machine learning algorithms to scan huge quantities of data to identify high level individuals to be targeted.
How does phishing work?
The entire attack is sequenced in the following manner
Research: As a first step, the attackers leverage social media sites like Facebook and LinkedIn to gather data about the targets. A thorough research before initiating the attack is necessary to ensure that the individual perceives the trap to be genuine. A personalized approach with some background knowledge works well for the fraudsters to gain trust and confidence of the individual.
Laying the trap: Once the data has been gathered and the targets have been chosen, the next step involves creating a fake link. This link could redirect the users to a fake website or may contain malware which when clicked will install the malware on the individual’s device. For example, creating a fake landing page of a bank with options to enter your login and password details.  Once you open the link with an urgency to clear any pending dues, the seemingly genuine website may naturally prompt you to provide your details.
Selecting the mode of communication: Once the trap has been set, it can be communicated through an email, text message or even a phone call at times. In case of spear phishing attacks where organizational employees are defrauded, the fake emails can be sent by fraudsters disguised as personnel working in the same organization. These messages are customized individually through provision of details like Name, Date of Birth (DOB) and other details depending on the nature of the fraud.
Drafting and sending the message: In case of frauds targeting high level individuals like top managers in an organization or vishing attacks where the attackers impersonate employees of a bank, a highly personalized message is drafted to gain the trust of the individual. In a vishing scam, for example, the attackers call the target individuals and win the trust by confirming their name, date of birth, bank branch name and mobile number. Since the bait has been successfully hooked, the attackers then carry forward the conversation and extract all the confidential information resulting in successfully executing the fraud.
A typical phishing message may appear something like this:
Your email has been selected for a prize of a brand-new BMW 2 series and a cheque of Rs 1 crore from the loyal customer program held this month. Claim your prize by clicking on the link
How to protect yourself against phishing attacks?
Given the human nature, a person is most likely to get trapped when any message indicates a need to complete a certain action on an urgent basis or if it provides a monetary benefit. However, to ensure that we don’t skip the red flags, there are certain precautionary measures that can be taken.

  1. In case of messages from banks and government bodies, keep a check on the short codes which are used to send the messages. Usually, a bank-related message is never sent from a personal number and is auto-generated.
  2. A fake message is not always perfect. The best way to identify this is to observe the sentences and grammatical errors in the message, if any. Moreover, if a message displays a sense of urgency too excessively, that can be a sign of something being fishy in the background.
  3. Constantly update the software on all the devices like laptops, mobile phones etc. In case an infected link has been accidentally clicked, the updates shall identify the same and remove it.

Certainly, the need of the hour is innovative cybersecurity solutions that can assist in identifying fake links, fake messages etc. thereby alerting the individuals at the right time before they fall prey to a suspected phishing attack.
ClearTrust is a SaaS based Cybersecurity Platform. The company specializes in Phishing intelligence, Bot intelligence and Invalid Traffic (IVT) intelligence.