Phishing is one of the oldest types of cyberattacks that can result in online banking fraud, and remains one of the most pernicious: nearly a third of all breaches last year involved phishing, according to a 2019 Verizon Report.
And a lot of the discussion recently surrounding the sharp increase in coronavirus-related scams relates to phishing scams. But how much do you actually know about what phishing is?
We take a deep dive into the history of phishing, the most common types of phishing campaigns to be on the lookout for now, and how to protect against them.
Phishing attacks are the fraudulent attempt to obtain sensitive and personally identifiable information (PII) from companies or members of the public. Examples of PII are usernames, passwords and credit card details. Most often the perpetrators disguise themselves online as a trustworthy entity in order to persuade their targets to hand over their information.
The main thing to keep in mind with phishing campaigns is that they are a social engineering technique. This means that the fraudster is deliberately using something to bait their targets, whether it’s a link on a webpage to a fake news story designed to outrage, or a spoofed email purporting to be from the victim’s bank, which encourages them to click on a link taking them to a webpage under the fraudster’s control.
The following are a few types of phishing and examples of how they would be practically carried out:
Phishing came to prominence as a way for fraudsters to con people out of their money in the 1990s. By the year 2004, it was being reported that US businesses were losing around $2 billion a year as clients became victims of phishing attacks, and the practice of phishing was recognized as a fully organized part of the black market.
As time goes by, the problem gets bigger and bigger. Last year it was reported that phishing accounts for 90% of all security breaches, with around 1.5 million new phishing sites being created each month.
And perpetrators of this cybercrime are getting better and better at carrying out phishing attacks. Their job has been made easier by the constantly increasing hyper-connectivity and online presence of the general public.
For example, the rise of social media has removed the need for fraudsters to carry out targeted campaigns over email, when they can simply post a fake ad online and target thousands of potential victims at once.
Plus, attacks are becomingly increasingly sophisticated, as their methods and technology evolve.
This means that even criminals with very little technical know-how can embark on phishing campaigns, using off-the-shelf tools and templates bought on the black market or dark web.
These ‘phishing kits’ bundle website resources and tools that simply have to be downloaded onto a server. And once downloaded, all the attacker has to do is send out emails to potential victims.
With attacks becoming increasingly easy for fraudsters to perpetrate and harder for individuals to spot, new campaigns are cropping up all the time – as seen with the spike in cases surrounding the coronavirus pandemic. To win this battle, everyone’s online security needs to put up much more of a fight.
The increasing use of multifactor authentication to validate identity more comprehensively is a welcome increase in online banking security but criminals can still find out static information such as passwords and account information all too easily.
Behavioral biometrics, on the other hand, cannot be imitated or stolen as they’re unique to each individual.
A comprehensive anti-fraud solution needs to leverage behavioral analytics and deep learning technology alongside other authentication factors, to evaluate the way in which a user typically types, moves their cursor, as well as many other online behaviors.
By comparing the real-time behavior of a user against their historical behavior it is possible to confirm whether it is really them, or whether a fraudster has taken over their account.
This means that, even if an individual falls victim to a phishing scam and passes over their information, the bank can still prevent fraud from taking place.