What is phishing? How to defend yourself?

Phishing. What is it?

Phishing can deprive you of access to your email account, individual websites, and lead to the draining of funds from your savings account. Phishing is a deceitful internet scam that involves the fraudulent acquisition of data, and its victims are increasing year after year. The bait in this case is fake emails and SMS messages. All it takes is to click on a link provided in the message to instantly install malicious software on your device. A second later, your data, such as logins and passwords, credit card numbers, or your national identification number, will fall into the wrong hands. Scammers attack in the same way through instant messaging apps and social media. In short, you need to be vigilant online almost at every step. Otherwise, one accidental click can bring serious trouble your way.

Phishing – how many people fall victim to it

Statistics on internet incidents are maintained in our country by CERT Polska, a team operating within NASK – the National Research Institute. According to the data they provide, in 2021, the most common type of incident was phishing. It accounted for almost 80 percent of all cases handled by CERT specialists. Year over year, this means an increase in incidents classified as phishing by as much as 196%! Among the most popular methods of this type of crime was data theft by impersonating Facebook (4852 cases). The second type of incident involved installing malicious software on the computers of unsuspecting network users. The number of 2847 cases registered in 2021 means an increase in this type of crime compared to the previous year by 281 percent.¹ See also: Mobile internet at Mobile Vikings

Examples of internet scams

It's hard to expect empathy from scammers; rather, expect them to prey on our curiosity and, unfortunately, naivety. Many such examples appeared during the recent coronavirus pandemic. Confined to our homes, we consumed more and more new information about the virus, using what the search engine, friends, or... criminals provided. Scammers created fake websites similar to those specializing in sensational news. Such a fabricated fake attracted clicks. The link was supposed to lead to a supposed video and a page impersonating, for example, Facebook. By entering your login and password, you immediately lost them to the scammers, who could then impersonate you. Fake messages, sent en masse by email or SMS, which imitate the websites of banks, well-known courier companies, auction sites, or telecom providers, work on exactly the same principle. This could be, for example, a demand to pay an overdue invoice for a service. There will always be a request to click on a link that, instead of leading to the indicated address, redirects to a data-stealing page. SMS messages contain links whose activation can lead to a complete phone lock or the takeover of login data for savings accounts. The scam mechanism is based on social engineering. Constructed this way, it's very easy to fall into its trap.

How to defend yourself against phishing?

You can avoid falling for phishing. You need to be smarter than the scammers. Read, talk to friends, even watch the news on TV, because the police warn about internet crimes there. In a word, the key is knowledge about criminals' behavior and awareness of specific cyber threats. Unfortunately, the internet has become a place where you should primarily follow the principle of limited trust. It's worth making the effort to learn how to recognize fake websites. Two websites cannot function with the same address on the internet. Criminals can copy the graphic layout, font, and color from the original, but their www addresses will always differ. Therefore, if you have suspicions, pay attention to the website address. Sometimes it will differ significantly from the original, and sometimes almost imperceptibly, by one or two letters. Analyzing the content of a suspicious message will also be important. Fake websites often reveal linguistic errors. Above all, do not click on suspicious links or any downloadable files included in messages. You can call the helpline of your email provider (bank, insurance company) and ask for verification of the message sent. If the sender asks you to provide your login and password, personal data, or a scan of your ID card in an email, ignore this request. If you happen to click a link provided in an email or SMS message, do not log in to your bank account or social media. Furthermore, you can easily check in your browser the details of the entity for which the SSL certificate was issued, i.e., the website's security level. This may include the company name, address, and city. To do this, click on the green padlock next to the www address bar. Then, select "View certificate" from the drop-down menu.

What else can you do? Technical possibilities

There are also technical ways to defend against phishing. To do this, it is worth enabling two-factor authentication for your email account and social media, or using a password manager. Also, analyze the capabilities of your email inbox. Not all systems are good at filtering spam and malicious messages. Therefore, it is a good idea to set up antispam filters in your email to intercept and flag suspicious messages. An effective method to avoid a phishing attack is to regularly update your computer software and install a good antivirus program. Many of them have security features for the browsers you use, which will help limit the impact of an attack if you click on a link in a suspicious message. Using a VPN when connecting to the network can help. Many of them have options to filter websites with malicious software. If you have fallen victim to a crime called phishing, which involves the theft of data or property, you should report it to the police. It is also a good idea to notify CERT, the team responsible for responding to security incidents on the internet. You can do this using the form on the website https://incydent.cert.pl/. 1 https://cert.pl/posts/2022/04/statystyki-obslugi-incydentow-2021/