How Businesses and Customers can Recognize Phishing Services?
There is a joke among cybersecurity experts that the main gap in information protection is in the layer between the keyboard and the computer chair – by analogy with the joke of car enthusiasts. And this is understood not only by experts but also by cybercriminals who actively take advantage of our naivety and inattention. They use social engineering methods, the main purpose of which is to force the victim to take actions beneficial to the attacker, for example, transfer money or pay for any product or service on a spoof site.
Social engineering methods
According to a new report from the Bank of Russia, in the first quarter of 2022, the social engineering method was used most often – in 52.5% of cases. Relative to the indicator for the entire 2021, the share of operations using the social engineering method increased: at the end of the past year, it was 49.4%. At the same time, credit institutions are less and less likely to return money stolen by fraudsters to citizens – this figure has been falling since 2019. The problem is that disclosure of data to third parties removes responsibility from banks.
Cybersecurity experts explained to Vedomosti how not to become a victim of online scammers, and companies and banks how protect their customers.
How people are deceived
In May 2022, Group-IB experts warned that the cessation of Apple Pay in Russia and difficulties with paying in the Apple Store and iTunes services prompted attackers to create new schemes to steal money, bank card data, and AppleID credentials. Users are offered to replenish their accounts in the Apple Store and iTunes using virtual cards in amounts from 1000 to 6000 rubles. The owners of the service claim that with their help you can replenish your account and purchase “any virtual content in absolutely all Apple digital stores in Russia.” The site copies the design of Apple, but the form of payment is phishing, and the data and money get to the scammers.
Another example is that fake sites selling tickets for Sapsan appear almost every tourist season. The most famous story comes from the summer of 2020 when a fake portal saps an-trains.com appeared at the top of Google search results. Gullible buyers purchased fake tickets for real money. By the standards of fraudulent sites, this one existed for quite a long time: it was registered in mid-December 2019: the attackers tried to take advantage of the increased demand for tickets during the holiday season and became more active in the winter and summer periods. Initially, the site did not arouse suspicion in the user: a letter came to the mail for authorization and payment confirmation. But after the funds were debited from the card, the purchased tickets for Sapsan did not come, and the data for feedback, except for e-mail on the site, of course,
Such sites are designed for the inattention and haste of consumers, scammers buy contextual advertising in search engines in order to be above the search results. Their costs are more than paid off: in the 12 months from June 2020 to June 2021, Russians lost 3.15 billion rubles falling for such schemes, Group-IB calculated. According to the company’s experts, deceived users in the Russian Federation made 11,767 payments daily during the specified period, which totaled 8.6 million rubles. in a day.
To leave attackers fewer chances, it is enough to be careful when opening links and files, learn to distinguish google.com from qoogle.com, and pay attention to the interface, which may differ from the original in color, logo, or an extra field in the authorization form, Group-IB notes.
How can companies protect themselves and their customers?
The schemes of cybercriminals are becoming more and more sophisticated: they often “do not save” on creating mirror sites and fake payment gateways, copying the identity of certain resources. In a situation where the user himself went on about the “social engineers”, the company, of course, is not to blame for the damage caused to him.
And yet, in such situations, there are reputational risks for her: an example of this is the infamous calls from the “Sberbank security service”. The calls were made by scammers, and users saw this as the ineffectiveness of the means of protection of the credit institution itself.
It is currently impossible to completely exclude the possibility of using social engineering tools against clients of various online services. However, there are measures that companies can take on their part to minimize the risks:
- use understandable and reliable financial instruments (wallets, payment gateways, etc.);
- implement two-factor authentication (for example, using a verification code in SMS or a call);
- ensure reliable protection of the resource using proven information security tools and specialists who will constantly monitor the creation of phishing resources with a company identity;
- to conduct information work with clients and notify them of possible dangers.
In the event that a company uses payment solutions and information protection tools from trusted vendors, this already allows for reducing risks both in relation to the company itself and in relation to its customers.
How can an Internet user protect himself from online fraud
First of all, experts from Group-IB and other surveyed companies advise paying attention to the following points:
- you need to carefully study the address bar. All popular legitimate services support the HTTP encryption protocol. The padlock next to the browser bar also serves as a specific security marker. Of course, you can’t protect yourself from advanced fraud schemes in such a simple way, but you can definitely protect yourself from those that are designed for inattention. A more serious level of security will ensure the use of useful plugins (for example, HTTPS Everywhere, WOT, etc.) for web browsers;
- If you are interested in online shopping, carefully make payments through 3DS services. First of all, be sure to see that this is a payment by details and not a transfer to a third party’s personal card. Such “clumsy” fraud, oddly enough, is very effective;
- if a site you know has suddenly changed its design, beware. Criminals create online resources for the simple purpose of collecting sensitive data or getting money through deception. Therefore, in most cases, they are not smart with the structure and design of the site. Careless layout, spelling errors, broken sections, and links are clear signs of resource substitution;
- before paying (especially for a significant amount), do not be too lazy to check the date of registration of the domain. This can be done using public services, for example, whois7.ru. If the site was created less than a year ago, the probability of fraud is high;
- if you are prompted to install additional programs on your phone or computer to make a purchase on the Internet, you should not do this in any case. So you risk losing not only money but also the device itself;
- If the site has not raised any doubts and you are ready to make a purchase on the Internet, carefully study the payment instruments. After entering the card details, the store site should transfer you to the gateway of your card payment system. This is a separate secure page, the online store cannot access the information you enter there. Payment gateways connect the cardholder to their bank when making a payment. The bank sends a one-time code to the client in an SMS message to confirm the operation. And only after the buyer enters it, the payment goes through;
- do not tell anyone the secret codes from the bank – check whether the data from the SMS matches the details of the operation, in particular – the purpose of the payment and the name of the legal entity accepting the payment. If everything is in order, enter the code in a special field on the payment page. If not, call the bank.
- you should also avoid those payment methods that do not allow refunds.
- try not to use a single card for all payments. For example, you can get a separate card for making purchases on the Internet and transfer the necessary amount to it immediately before making a payment. In this case, even if you fall into a trap set up by scammers, you will not compromise the card data on which your savings are stored.
If the attackers still managed to deceive you and steal money from your account, you need to contact the bank, after which – write a statement to the police and send a coupon to the bank to accept the application. If you yourself entered the card details when making a payment on a phishing resource, the bank will not be able to refund your funds without a statement to law enforcement agencies.
Fraudsters are always active during periods of social tension, and therefore now you need to be extremely careful about where and how you leave personal data and, in particular, your bank card data. Fraud methods are becoming more sophisticated every day, and some of them may be unknown even to specialists. Therefore, neither banks nor companies can guarantee their customer’s absolute protection. So first of all, you need to be attentive to where and what information about yourself to leave.
For More Technology News, Click Here