What is phishing?
The Internet is increasingly present in our lives. Cybercrime has emerged as a new focus for criminals as mobile applications have come to replace many procedures that were previously done in-person. This type of crime is committed by the digital theft of information or money.
During the early stages of cybercrime, attackers would use malicious software to target large businesses. However, the initial method of operation was very costly. Since then, their techniques have evolved and become the most lucrative illegal business in the world, with new methods being used. Cybercriminals have been able to learn from street fraud techniques, among others, in order to get people to divulge sensitive information, such as passwords and account numbers.
This methodology, known as social engineering, is used to target any Internet user and service applications, as well as against a wide variety of employees of any company. Cybercriminals use a wide variety of channels, including email, text messages, phone calls and social media, to perpetrate social engineering attacks.
Phishing – the use of fraudulent emails that employ various methods to deceive users – is the most commonly used social engineering technique.
Definition of Phishing
Phishing is a computer term that refers to phishing techniques used by cybercriminals in order to fraudulently obtain confidential information. Phishing comes from the English word for ‘fishing’, since this is exactly what fraudsters do: cast bait to try to 'fish' for your data and credentials.
This technique can be used to steal sensitive information such as online banking passwords, credit card details and identity documents. It can also infect your computer or mobile device with malware.
According to the APWG Phishing Activity Trends Report, 2021 saw an all-time peak with 245,771 fraudulent web pages used in phishing attacks. There is also a steady upward trend in these malicious activities.
According to F-Secure's Attack Landscape Q1 2021 report, the financial sector is the most affected by phishing: overall, around 40% of attacks were directed at banks, payment systems and online merchants.
Although most attempted fraud occurs via email, criminals also try to access your data through fake social media profiles, text messages (known as Smishing) and even phone calls (known as Vishing). Sophisticated cybercriminals can use Spoofing techniques to change the caller ID or use text messages to infiltrate official communication threads. This allows them to impersonate their victims and carry out effective attacks.
How to recognise a phishing attempt
Cyber-criminals are constantly refining their techniques and it is sometimes difficult to tell a fake email from the original, but there are clues that may help you to recognise when you are a victim of a phishing attempt:
- Sender's name. If the address of the sender of the email is unknown, or it has a strange format, you must question whether the email is authentic. The same applies if it does not include the domain name of the organisation that allegedly sent it to you, or if it comes from a free email service such as Gmail, Yahoo or Outlook.
- A sense of urgency. Beware of scammers who may try to persuade you that you need to urgently hand over your personal or banking information by citing a supposed technical problem, change in security policy or unusual activity on your account. They may also claim that your account is about to be deactivated, promote a new product or even falsely offer a prize or job opportunity. These messages are usually written in an alarmist tone, urging you to take immediate action.
- Differences between the text of the link and the URL it leads to. The scammers will try to make you click on the link included in the email to take you to a fraudulent website in an attempt to impersonate the real one. You can check the address of this link by placing the mouse pointer over it: if you see that it does not match the text of the link, has a suspicious format or does not start with https (the "s" guarantees that the destination web is a safe web) do not click on it.
- Spelling errors or poor phrasing. Typically, criminals use automated tools with integrated translation features to craft their ‘bait’ messages. Therefore, unless the scam is very sophisticated, you are likely to see poorly translated words, phrases that sound strange in the target language, spelling mistakes, words with strange symbols, etc.
- A generic greeting. If you receive a greeting that is not personalised and instead follows a generic format, such as ‘Dear customer’ or ‘Dear friend’, be on your guard. As a customer, businesses will usually address you by your full name.
- Attached files. If you receive an email asking you to download a file, be suspicious as it may be a phishing attempt. Any file, including Word or PDF documents, can contain malware. However, a file with more than one extension (similar to ‘filename.doc.zip’), a compressed file (.zip) or an executable file (.exe) is very suspicious. Never download email attachments that you are not expecting, as they could contain malware that infects your computer. And if you do, run an antivirus scan before opening and running the file.
What you should do if you think you have received a fraudulent email
If you have received an email with any of the characteristics described above, we recommend that you:
- Disregard any
requests for information contained in the email and do not respond or click on any included links.
- If you suspect that an email you received may not be genuine, please contact the official customer service address to confirm its authenticity, or send an email to the official customer contact address.
- If there are attachments, do not open or download them.
- Delete the suspicious email.
- Run an antivirus scan on your mobile phone or computer.
- If the phishing attempt you have received impersonates Banco Santander, please report it by sending an email to firstname.lastname@example.org.
Banco Santander's communications are always personalised (with your name and surname) and the bank will never ask you for your details or passwords by email, text message or phone call. You will not receive any attachments or links to the online banking homepage. For online banking services, always use the official application or access the address directly from your browser.
What you should do if you have been the victim of a phishing attack
If you believe you have been the victim of a phishing scam, it is important to collect all relevant information, including any emails you received, websites you were directed to and any documentation you may have sent. You should then file a report with the police. You can report the fraud to INCIBE's Internet Security Office to help prevent other users from being affected.
If you suspect that you have been a victim of bank phishing, please contact your bank immediately to report the incident and take steps to protect your account. You should immediately change the passwords of any affected services, as well as credit card passwords, etc. You should also periodically check your accounts for any suspicious activity.
If you have shared any personal information, please contact the relevant institution(s) right away to let them know about the phishing attack. They will be able to provide further instructions on what to do next.
If your computer has been infected with a virus or malware as a result of a phishing attack, you will need to disinfect your computer using an antivirus programme. For additional help, you can contact INCIBE-CERT, the security incident response centre operated by the National Institute of Cybersecurity. INCIBE-CERT provides support for citizens and private law entities in Spain.
Phishing attacks are a common occurrence and we cannot prevent fraudulent messages from arriving in our email inbox. However, if you follow these tips and remain vigilant, you can avoid falling victim to cybercrime.