This article is written by Sanjana Rao, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
What is phishing?
Phishing (brand spoofing or carding) is the practice of sending misleading emails or creating fraudulent web applications or servers and demanding personal and financial information from unsuspecting people while seeming to be from a respectable organization or a legitimate website. If the victim falls prey to the scam and enters his credentials, identity theft is likely to occur, and money may be moved to the fraudster’s account or used to make online transactions directly by the perpetrator. These links may also contain malware that can corrupt the victim’s entire computer system.
Phishing is an evolving form of cybercrime that mainly threatens data privacy and has the potential to cause devastating damages to both individuals and businesses. It is a spin on the word “fishing” since criminals are dangling a fake message like bait in the hopes of fulfilling their malicious intentions. It can be carried out by an individual or a group of people.
Types of phishing
There are numerous forms of phishing that are constantly evolving with technology, with an intention to get past even the latest cybersecurity measures. Some of the interesting ones are:
- Standard Email phishing: Sending an email that would appear to be from a legitimate website. This is very dangerous as it can target a lot of people at once.
- Domain spoofing: Making a clone website and luring victims to enter their credentials.
- HTTPS phishing: Here, fraudsters will send an email containing merely a legitimate-looking link in the email body. There’s usually nothing else in the email but the link (which may be clickable or a non-active link that needs the receiver to copy and paste the URL into their browser’s address bar).
- Smishing: Cybercriminals employ smishing to trick users into downloading harmful payloads by sending text messages that appear to come from trusted sources but contain malicious URLs for them to click on like coupons codes to buy something.
- Vishing: A vishing attack occurs when a criminal attempts to obtain personal or financial information from you by calling your phone.
- Malware phishing or watering hole phishing: Watering hole phishing attacks target organizations by determining the most frequently visited websites by your firm or employees and infecting one of them with malware. One of the sites chosen for infection may be a provider whose services your firm employs. The idea is to infect websites so that when you or your employees visit them, your computers are automatically loaded with malicious software.
- Evil-twin Phishing: An evil twin attack is a hacking attempt in which a hacker creates a phony Wi-Fi network that appears to be a legitimate access point to acquire important information from victims.
- Spear phishing: This is an email spoofing attack that aims to get unauthorized access to sensitive information by impersonating a certain business or individual. Random hackers are less likely to launch spear-phishing attacks, which are more likely to be carried out by criminals looking for a quick buck or to ascertain specific information.
How is phishing done?
In layman terms, a hacker with an intention of phishing, would duplicate a legitimate web application or a web server or send malicious attachments to targeted victims in the hopes of stealing their credentials. This is done either by cloning a website through existing tools like SEtooklit, SocialFish as per available templates or by creating a customized phishing website that is specific to the victim, after some research. Once a fake server/application or message is created, the next step would be to get in touch with the victim. If the victim falls prey to the scam and enters his credentials, it would automatically get stored in the hacker’s database.
Effects on e-commerce
Phishing was initially noticed in hacker groups in 1996, and it quickly spread to auction sites like eBay and payment processors like PayPal. Phishing has gotten increasingly sophisticated in recent years, and numerous financial organizations (including banks) have become victims of the fraudulent technique.
Phishing has far-reaching consequences for businesses and customers, including significant financial loss, brand reputation damage, lost customer data files, possible legal implications, a significant decrease in employee productivity, improper IT resource utilization, and other administrative consequences. Apart from the exorbitant amounts of financial damages, it also affects the brand’s image and shakes the trust of customers and investors. As per the Internet Crime Report by the Federal Bureau of Investigation, phishing was the most common type of cybercrime in 2020 and 85% of all organizations have been hit by phishing attacks.
Unlike other forms of internet-based crime, such as hacking, which can be carried out in secret, phishing includes the public exploitation of legitimate organizations and agencies names and reputations. Since it is one of the easiest forms of cybercrime to be carried out, it cannot be prevented altogether. Nonetheless, businesses need to take precautions to avoid these at best and also have protocols in place in case of an attack. Apart from having a spam filter, which is almost outdated at this point, companies need to have robust cybersecurity in place. Despite these measures, a phishing scam might make its way through and have a ruinous effect on the business. The outcomes of a phishing attack are:
1. Financial loss and other monetary costs including regulatory fines
First and foremost, if your company is the unlucky victim of phishing, there will almost probably be immediate financial consequences. In addition to the direct costs of a breach, phishing attempts on your employees may result in fines imposed by regulatory bodies in the case of breaches that result in violations of prevalent laws. Identity theft protection and/or recompense for employees or customers whose data has been taken, investigation process as well as theft from your organization itself, can potentially cost crores of rupees. An attack has the potential to cut a large chunk of money off the brand’s market capitalization.
Funds can potentially be transferred out of a company’s account using phishing impersonation. A significant increase in customer retention expenses also can be expected out of this attack.
2. Impact on intellectual property
Theft of intellectual property is equally damaging to the business. R&D, sensitive customer and employee information, trade secrets, and formulations can all be compromised through phishing. A single stolen design or patent can result in an exceedingly large amount of money wasted in research expenditure for companies.
3. Detrimental to brand’s reputation
Public disclosure of such attacks and breaches can cause irreversible reputational damage. Loss in existing customers and decline in new customers are direct consequences since they may perceive the company as untrustworthy. Worse, if their data is stolen, they may initiate a lawsuit, or the company may face fines for noncompliance if the data is covered by data protection standards.
A successful phishing assault that results in a breach can affect not only client confidence but also investor confidence, who have a moral obligation to guarantee that cybersecurity measures are prioritized at all phases of a company’s development.
4. Damage to business productivity and company value
Phishing assaults were rated as the most disruptive type of cyberattack for UK organizations in the 2020 Cyber Security Breaches Survey. Recovery time will be required, especially if the phishing attempt involves malware, in which case employees may be distracted and systems may need to be taken offline, potentially rendering certain employees unable to perform their duties. The company’s total value will take a temporary hit.
Notable phishing attacks
1. Sony case in 2014
This scam cost Sony a whopping 100 million dollars in damages. The security compromise was triggered by a series of spear-phishing emails sent to Sony employees. Hackers posed as firm colleagues, sending phishing emails with malware to unsuspecting employees, after studying employee identities and titles on LinkedIn.
2. FACC in 2016
In a CEO fraud scheme, FACC, an Austrian aircraft parts manufacturer, lost $61 million (roughly €54 million). An entry-level accounting staffer sent funds to a false project account after receiving a phishing email from a hacker posing as the CEO.
3. Upsher-Smith Laboratories in 2014
The phishers sent phishing emails to the company’s accounts payable coordinator, impersonating the CEO, instructing them to make nine fraudulent wire transfers. The amount transferred was more than 50 million dollars.
4. Facebook and Google
Between 2013 and 2015, an extensive phishing campaign defrauded Facebook and Google of $100 million. The phisher took advantage of the fact that Quanta, a Taiwanese corporation, was a vendor for both companies. The attacker issued a series of phony bills to a Quanta-impersonating company, which were paid by both Facebook and Google.
5. MacEwan University in 2017
In a major fraud, phishers impersonate Edmonton construction companies and send out false bills. The fraudsters even went so far as to set up numerous websites for more than a dozen local construction companies to collect money from the genuine company’s business partners. Even though the university recovered 92% of the stolen money, the initial amount defrauded was 11.8 million dollars.
Steps for protecting your e-commerce business
- Educating customers on the company’s official website- reminding them that the company does not ask for any personal information via email or call and promoting user awareness regarding phishing scams.
- Internal training- training all employees regarding the importance of data protection through cybersecurity awareness programs. A dedicated team must be in charge of handling cyber attacks. The effectiveness of the training should also be measured.
- Security or warning tools embedded into the web browser, early detection of such an attack, and taking steps to prevent it from reaching the user’s system.
- Secure authentication process- Have a multi-factor authentication process in place for your customers and employees.
- Web crawlers to identify and take down phishing sites and stop them via blacklist and whitelist approaches which need to be carried out actively.
- Having a checklist and protocol in place- The company needs to be prepared for any kind of phishing attack. A dependable manual should be in place which is drafted after running phishing simulations to evaluate the aftermath of a probable attack and a clear protocol to be followed in case of cyberattacks. Law enforcement should be contacted immediately after the detection of such attacks.
- Updated cybersecurity in place to strengthen fraud prevention and prediction.
With an increase in awareness and debate around data privacy and security, the threat of phishing needs to be equally recognized. Information related to a company or individuals today is more valuable than ever and in the wrong hands, can wreak havoc. Cybercrimes like phishing will evolve with technology and are expected to become more common and sophisticated on a global scale. Individuals have to take utmost caution before entering sensitive information on any website or before clicking on any links/emails. Spike in phishing attacks on businesses and organizations compel the companies to be on their toes all the time. A blend of updated technology, awareness, and diligence can dramatically lower the likelihood of an individual falling to this expanding threat. Between advanced phishing attempts and existing countermeasures, there is a distinct lag and there is an urgent need for legislative intervention. The new countermeasures should be multifaceted, addressing both the human and technical aspects of the attack. More anti-fraud research and development, computer user education, and strong prosecutions of criminals who conduct these crimes will aid in containing the severity of this threat. In this era of unstoppable evolution of technology and cyber-crimes, one can only hope for the best and prepare for the worst.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: