What is phishing?
Secure Internet Day is celebrated on 11 February, an initiative launched by the European Union in 2004 to promote the need for a more secure Network. The increasing use of the Internet in more and more areas of our lives has led to a rise in cyber-attacks and one of the methods most widely used by cyber-criminals is phishing. Do you know what an attempt at phishing is and how to identify it?
Definition of Phishing
Phishing is the IT term for an identity theft technique by means of which criminals attempt to obtain confidential information by fraudulent means. The term comes from the English word "fishing" because that's precisely what the scammers are trying to do: they cast a hook in an attempt to "fish" for your data.
Passwords for online banking, credit card details, identity documents... are examples of the sensitive information that can be stolen using this technique, which can also infect your computer or mobile device with a type of malware.
According to a report from Kaspersky Lab, 2018 saw some 500 million phishing attacks around the world, with the financial sector being the most affected: more than 44% of the attacks were directed against banks, payment systems and online businesses.
The most common type of phishing attack is via email, but it is by no means the only one: criminals also try to access your data through fake profiles on social networks, by sending an SMS to your mobile phone (a practice known as smishing) or through telephone calls.
How to recognise a phishing attempt
Cyber-criminals are constantly refining their techniques and it is sometimes difficult to tell a fake email from the original, but there are clues that may help you to recognise when you are a victim of a phishing attempt:
- Sender's name. If the address of the sender of the email is unknown, or it has a strange format, you must question whether the email is authentic. The same applies if it does not include the domain name of the organisation that allegedly sent it to you, or if it comes from a free email service such as Gmail, Yahoo or Outlook.
- The rationale they use. Scammers will try to convince you of the need to urgently provide them with your personal (or bank) details, alluding to an alleged technical problem, a change in the bank's security policy, abnormal use of your account or suspicious movements, the imminent deactivation of your account, the promotion of a new product or even notification of an alleged prize or a false job offer. These messages are usually written in an alarmist tone, urging you to act immediately and with warnings that, if you do not click on the link or send your details, your account will be cancelled or you will have to pay a fine.
- Differences between the text of the link and the URL it leads to. The scammers will try to make you click on the link included in the email to take you to a fraudulent website in an attempt to impersonate the real one. You can check the address of this link by placing the mouse pointer over it: if you see that it does not match the text of the link, has a suspicious format or does not start with https (the "s" guarantees that the destination web is a safe web) do not click on it.
- Misspellings or poorly written. Usually, to design their "hook" messages, criminals use automatic tools that include translation functions, so it is likely that you will see badly translated words, expressions that sound strange in your language, spelling mistakes, words with strange symbols, etc.
- A non-personalised message. If the greeting is a generic one, such as "Dear customer / user" or "Dear friend", be suspicious.
- The extensions of the attached documents. You should suspect phishing if the email you receive asks you to download a file that has more than one extension (such as "filename.doc.zip") or is a compressed (.zip) or executable (.exe) file. Do not download it as it may be malware that infects your computer and, if you do, run your antivirus before opening it and executing it.
What you should do if you think you have received a fraudulent email
If you have received an email with any of the features described above the recommendation is:
- Ignore the request for information in the email and do not reply to the email or click on any links
- If there is an attachment, do not open it or download it
- Delete the suspicious email
- Run the antivirus on your mobile or computer
If you have any doubts about the authenticity of an email, contact the organisation that has supposedly sent you the communication to verify that it really is them who have written to you.
Always remember that communications from Banco Santander are always personalised (with your name and surname) and that the bank will not ask for your data or passwords either by email or by phone, nor will it send you attachments or include links to the online banking home page. If you want to access your electronic banking service it is better to type the address directly into your browser.
What you should do if you have been the victim of a phishing attack
In the event that you have been caught up in a phishing scam, it is recommended that you gather together all the relevant information: the email you received, the website to which it is linked, the documentation you sent... and that you file a report with the police. Also, you can contact the INCIBE Internet Security Office (Spanish National Institute of Security) and report the fraud so as to prevent other users from suffering from the same.
If it is a bank phishing, contact your bank to let them know what has happened so that they can take the appropriate security measures. Meanwhile, you should immediately change the passwords for all affected services (your online banking login, your credit card passwords, etc.) and periodically check your accounts for any suspicious activity.
If you provided other personal information, contact the appropriate organisation to inform them that you have been the victim of a phishing attack and ask them how to proceed.
Remember that if your computer has been infected by a virus or malware as a result of phishing, you will need to disinfect your computer with an anti-virus. If you need additional help, you can get support through INCIBE-CERT, the leading security incident response centre for citizens and private legal organisations in Spain, operated by the National Institute of Cyber-security.
Phishing attacks are standard practice and we cannot prevent fraudulent messages from reaching our inbox. However, by being alert and following these tips you can avoid falling into the cyber-criminal's traps.