This article is written by Tarannum Vashisht, a student of the Rajiv Gandhi National University Of Law, Punjab. This article is a simple attempt at throwing light on the concept of Phishing scams, with the help of some important examples. Also, it provides some suggestions to tackle this menace.
Table of Contents
This article makes an attempt to enumerate the concept of phishing scams. Understanding of phishing software is considered to be difficult by many. Following is an attempt to explain this concept in a simplified manner. For a holistic understanding, some major cases of phishing scams have also been explained. In the end, some easy suggestions for protecting innocent users from falling into the traps of phishing scams have also been provided.
Phishing scams are an adulterated version of social engineering, which largely deviates from the goal of social engineering to create devastating effects for the individual. In simple words, it is a malicious attempt at stealing sensitive and important information like passwords, credit card numbers, usernames, etc from innocent users.
It is often seen that communications are made to lure users into trusting that they are from genuine sources. The most common example of this is clicking at a link which leads an innocent user to fraudulently make a purchase that he never desired in the first place. This successful attempt at making a user into fraudulently clicking on the link in the prime motive of the person behind making this link.
Famous cases of phishing scams
Some of the world-famous cases of Phishing scams are enumerated as under-
Stuxnet, first uncovered in 2010, is a malicious computer worm which targets Supervisory Control and Data Acquisition (SCADA) systems. It has been reported by various agencies that this was used as an attack on the nuclear programs of Iran by the United States Of America and Israel.
This was a damaging cyberattack carried out under the secret orders of the then president of the United States of America, Barack Obama. This classified attack, code-named Olympic Games, and was first developed under the presidency of George.W.Bush. This cyber weapon had the prime intention to make the Iranian scientists demotivated. They wanted to make Israel doubt the technical efficiency of their software and make the government think that their engineers were not capable enough to enrich their country’s resources.
The attack caused total damage of 1,000 of Iran’s 6,000 centrifuges — fast-spinning machines that enrich uranium. This is a vital step in creating an atomic bomb.
Moscow World Cup Vacation Rental Scam
The Moscow world cup vacation rental scam is one of the biggest and most recent scams in the history of the world. FIFA world cup is an extremely famous event which attracts fans from across the globe to watch it live. A similar chain of events unfolded in the FIFA world cup held in Moscow in 2018. A lot of people from different countries planned to fly to Moscow.
This created a growing enthusiasm in phishing scammers from all over the world as well, which ultimately resulted in the financial loss of a lot of people. This scam cannot be accredited to one organization carrying out a systemised fraudulent attempt. Many scammers made individual attempts at making financial benefits at the behest of innocent football fans.
The most common mediums used for doing the same were emails, WhatsApp and SMS. Multitudinous emails were sent to different customers by these frauds. These mails often guaranteed discounted rooms, free tickets to Moscow etc.
In another famous high profile case, bookings.com’s users were targeted via SMS and WhatsApp. The messages that were sent to their innocent customers contained their legitimate information, obtained by hacking into hotel systems.
In January 2016, FACC became victim to a massive phishing attack, by outside hackers. In these malicious operations outsiders impersonated to be someone from within the company to attack the users. The customers were tricked and a large amount of money was fraudulently shifted from the company’s accounts to the outsider’s account. The domain name of the company was adopted and the users were requested to transfer the money on an urgent basis.
This is an example of a large scale phishing scam which resulted in huge financial losses of the company. After some meetings of the board, it was decided that the CEO of the company was guilty of severe violation of his duties, and hence his removal was ascertained. Walter Stephan, the CEO being talked about, holds the record for incurring the highest financial losses ($47 Million) from a single scam.
Ukrainian attack on a power grid
This attack happened in December 2015 on Ukrainian Power Grid. After Stuxnet was used by the United States Of America and Israel, this operation became the second in history to attack physical machinery and hence created headlines.
This Ukrainian Malicious firmware attack primarily used email phishing. It also became the first to use automated, scalable malicious firmware, enabling the disablement of multiple sites at a time by a single person. This attack was very systematically carried out. The cyber intelligence behind this attack had the information, several months prior to the actual incident. Therefore every stage of the attack was strategically planned beforehand.
This entire scam happened due to the mistake of one employee. This could have been easily prevented by proper training and instructions to all the employees and associates against such scams.
Operation phish phry
In 2009, the FBI named the largest foreign phishing case ever performed as Operation Phish Phry. Hundreds of customers of banks and credit cards got official-looking email linking them to bogus financial websites.
The team behind the scam was a highly organized one. The then-director, Robert Mueller used it as an example of how major organized crime syndicates are indiscernible from national-state players when it comes to aggressive, large-scale cyber-attacks. There’s just no way of understanding who the perpetrator really is until after the investigation.
It was obvious from the outset that Operation Phish Phry was a large-scale project. In the end, the FBI charged more than 100 people, depending on the assistance of Egyptian national security agents to apprehend nearly half of them outside the territory of the United States.
The project by today’s standards was fairly easy but managed to pilfer around $1.5 million from hundreds or even thousands of bank accounts.
FMS scam or the target
One of 2013’s big news stories was the Target data breach affecting 110 million users, including 41 million retail card accounts. At the time, few news outlets reported how the violation happened, but now the full-scale investigation findings are available.
It turns out cybercriminals didn’t directly attack the target. They targeted a third-party vendor named Fazio Mechanical Services (FMS), which had confident access to Target’s servers. Gaining complete access to Target’s was simple after compromising the servers of FMS.
The lesson here is simple– trustworthy relationships need an objective analysis by experts. Everyone in your organisation needs to ask if maintaining a trustworthy link is really worth the possible security risk it might pose.
Suggestions for prevention
It is unambiguous from the above real-life examples that phishing scams can lead to humongous financial losses for both innocent consumers and large scale companies. It is aptly said that prevention is better than cure. Therefore below mentioned are some of the examples to prevent phishing scams-
Be well informed
Once someone is trapped in a phishing scam, it is next to impossible to get out of it clean. The cases of phishing scams are increasing with a lot of vigour, affecting lakhs of people. With the advent of technology and tech-savvy minds, this malicious software has found new ways to enter into other computers and damage them. Therefore it has become of utmost importance to remain up-to-date with the knowledge of this new software. Some precautionary steps taken beforehand can prevent a lot of financial losses from happening afterwards.
Think of the repercussions before clicking on random links
As has already been reported via this article, the most common way by which an innocent user is tricked into a phishing scam is by displaying seemingly genuine links in front of the users. The users, by various techniques, are lured into clicking on these links. This either leads to their direct financial losses, or leaking of sensitive information, which further leads to indirect financial losses. This often happens when emails are sent from email ids which look much familiar like, for example, your service provider’s email ID. It is very important to identify the genuinity of these links and ascertain their definite purpose before clicking on them.
Install an anti-phishing toolbar
It is absolutely imperative to install some good anti-phishing toolbars to protect your computers. They notify the user from time to time about any suspicious activities and hence are a great help in eradicating any malicious software before they damage any of your data.
Verify that the site that you use is secure
It is natural to be a little wary of online distribution of sensitive financial information. However, as long as you are on a safe website you will not experience any problems. Before submitting any information, make sure that the URL of the site starts with “https,” and that a closed lock icon near the address bar should be present. Also, search for security certificates from the web.
If you get a message claiming that there might be malicious files on a certain website, do not access the website. Never download files from dubious websites or emails. Even search engines that display some links that can lead users to a phishing website that offers low-cost products. When the user makes transactions at such a website, cybercriminals can access the credit card information.
Checking online accounts regularly
Not checking your online accounts for a long time can lead to devastating effects for your computers. A regular check should be carried out by the users without fail so that there is early detection of any suspicious movements. Also, your passwords should be strong and they should be changed at regular intervals. This would lead to a minimum probability of your accounts being hacked.
Browsers should be kept up to date
There is a need to make browsers up-to-date with the technological advancements of phishing software. This is done so that the browser’s technology comes at par with the technologically enhanced features of the malicious software. Hence, this would eventually lead to their successful protection. Therefore updating browsers is of utmost importance.
Use of firewalls
High-quality firewalls serve as buffers between intruders from outside, your computer and you. You can use a mobile firewall and a network firewall. The first choice is software type and the second option is the hardware type. If used together, the chances of hackers and phishers infiltrating your device or network are significantly reduced.
Be cautious of pop-ups
These are the most common way of tricking innocent users into phishing scams. Therefore the credibility of these pop-ups should be ascertained with great care beforehand. Also, if you by any chance end up clicking on a pop-up, click on the “x” button, instead of clicking on the “cancel” button. This is because a lot of phishing scams often encapsulate you even if you click on the “cancel” button.
Giving out of personal information should be avoided
Giving out of personal information, especially sensitive information about your financial accounts should be avoided wherever possible. If it is absolutely necessary, the website should be thoroughly checked and if need be, the company officials may be called to verify the same.
Use of antivirus software
Antivirus software is absolutely imperative to protect our software against known malicious software. Also, these should be updated on a regular basis.
Phishing scams, an adulterated form of social engineering, have infiltrated in one form or another into millions of computers from across the world. This doesn’t end here, they are aggravating their tendencies to harm our computers with each passing day. Hence an informed approach towards combating phishing scams by taking all the precautions is necessary.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: