© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Phishing explained: from fake court summons to forged corporate documents

What does a phishing scam typically look like, and what happens if you fall victim to one?

Imagine one day, out of the blue, you receive an email from none other than the US Department of Justice. This email contains a summons to the court, threatening an immediate arrest for non-compliance. And – oh miracle! – It also has a link to submit a petition letter to raise a dispute. But is it a way out or a carefully orchestrated trap?

Phishing has become all too common, but it still comes in a variety of shapes and forms, with criminals going out of their way to generate emails that beg you to click on malicious links. And yet, many users continue using social platforms carelessly, comforted by a false sense of security.

“I think, like with most things in life, people don’t think they can be a victim and that they’re excluded from the potential threat of phishing, malware, ransomware, etc. With the number of companies that have been personally affected by cyberattacks, it should go without saying that it is better to be safe than sorry, and it pays to be prepared,” David Wreski told Cybernews.

Here is all you need to know in order to prepare yourself for a phishing attack.

Email phishing

Email phishing is a social engineering attack carried out to steal user data. It’s used to impersonate an authoritative figure to capitalize on the authority of an organization or person in order to build trust. It’s often paired with a sense of urgency, forcing the victim to act immediately, often without thinking things through.

But let’s say you’ve clicked on the inserted link. What happens then? You will be transferred to a website closely resembling the one you were supposed to visit: it will look the same, work the same, and even might have legitimate security measures and protocols in place. The things that will distinguish it from its real alternative will be minor, like a slight difference in the web address.

Once you try to log in, the website will forward your details to cybercriminals, who will now be in control of your personal data.

However, email security threats are not limited to this scenario. In the first quarter of this year, hackers massively impersonated DHL, sending out millions of emails about a package due to be delivered. While many victims didn’t order anything at all, they were curious to learn more, hence downloading an attached file – only to receive a Trojan virus.

Brand phishing

DHL, however, is not even in the top 10 of the most impersonated brands. Facebook, alongside other social media, took first place this year. It accounts for 14% of phishing pages, which rises to 24% once you add other platforms in.

Fake DHL email
Fake email from DHL

With 2.8 billion users, Facebook is a goldmine for cybercriminals. Fake emails requesting users to change their passwords are usually the most popular type of Facebook scams utilized to steal user data. However, criminals can also entice users with messages containing keywords and images associated with major events. Last year, COVID-19 was one of the most exploited topics, and right now, it is the war in Ukraine.

Spear phishing

As opposed to email phishing, this time, the target is not a random user of a social media site or a potential DHL client. The target of a spear phishing attack is researched beforehand, so that the scam message will be specifically crafted for them, impersonating closest friends, family, or business clients and partners.

Sometimes, the victim would be a part of an organization, and the attack would include an immense amount of background research to identify the power structure. In that scenario, a phishing attack acts like a spear, breaking through one’s defense and leaving a deep wound.

Then, out of nowhere, a low-ranked clerk gets an email from one of the executives, asking to sign a document and send back a signed copy.

With the research done right, an employee won’t even notice that this email is sent from a slightly different address and will personally hand the corporate stamp and signature to the cybercriminal.

That’s what actually happened to Belgian Crelan bank, where one of the employees submitted the CEO's stamp and signature to a fake email, giving hackers enough resources to forge accurate transfer documents.

These documents were so realistic that each one was approved by the financial department without any issues, costing Crelan bank 75.8 million dollars in total.

While undoubtedly rarer than personal attacks, such phishing scams have already cost multiple businesses – from Google and Facebook to Sony Pictures – millions of dollars in financial, reputational, and sometimes even physical damages.

You’ve accidentally provided your data to a threat actor. What will happen with it?

Although unpleasant to think about, it’s crucial to understand what will happen if you’ve handed your data to a cybercriminal – or be prepared in case the worst has already happened.

The first thing a criminal would do is request new account PINs and remake your bank cards remotely, using banking details and your Social Security number. They will then extract or use all available finances you have.

Identity fraud is also highly possible, as the information you forfeited can be used to request a new passport, driver's license, and more.

With those, nothing stops malicious actors from taking credits from microfinance organizations, racking hundreds of thousands of dollars in credit debt.

In a single moment, you can lose all your funds and rack up insurmountable debt. That’s how phishing works. But that’s the worst-case scenario.

Many victims would suffer less, probably having their accounts hijacked and then used for further impersonation scams to extract money or information from their social circle. Rinse and repeat.

How to prevent phishing?

The problem with phishing attacks is their unpredictability. That employee of the Crelan bank never expected a criminal to pose as their boss. And a normal citizen of the US will be pretty shocked to find out an email from a Supreme Court could be completely fake.

It might be really hard to learn how to spot phishing attempts without falling into a paranoid state.

“I cannot stress this enough: users need to think before they click. Don’t interact with an email that seems suspicious because there is usually a reason for that,” Wreski told Cybernews.

The best you can do to keep yourself safe is to stay vigilant and avoid revealing your personal details online, especially via links included in personal emails. If you do have to fill something in, instead of clicking the attached link, visit the website manually. Malicious websites often look too real to easily identify them as fakes, but if you access a website manually, you can at least be sure you are visiting the real thing.

The same degree of vigilance should apply to text files, archives, and even images attached to emails, as they can contain malware.

If possible, prevent automatic loading of messages in your mailbox, or, even better, – use a secure email gateway with regular maintenance of filters against spam and malware. This may prevent phishing scams or at least some of them.

You’ve become a victim of phishing. Now what?

If the worst has already happened, first and foremost – contact the police. Cybercrime poses a legitimate threat to your livelihood, and there’s nothing wrong with treating it as such.

Then, make sure to close or cancel all compromised bank accounts. If applicable, explain to the employees that the company’s security was breached.

If your passport was compromised, it would have to be re-released as well. In general, every password, document, or account that was leaked has to be replaced or reinforced with additional security methods, such as multi-factor authentication. There are no exceptions.

Phishing can cause tremendous damage to individuals and huge companies, with few remediation options available. The best thing to do is stay vigilant and prevent phishing attacks from ever taking place.

More from Cybernews:

Adware campaign steals Google users’ search engine data

Russia takes “coercive” measures against Twitch

Microsoft uncovered exploit for macOS sandbox escape bug

Threat actors impersonate Crowdstrike to extort data and deploy ransomware

Tamagotchi generation: are you ready to raise virtual babies in the metaverse?

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are marked