First of all, let us understand that phishing is a criminal phenomenon, which gives reason to consider this phenomenon as something that is outside the law, with all that it implies. Finding out an attacker is difficult, and is not the task of private companies, but it is definitely necessary to defend against such attacks.
A key feature of such attacks is the so-called familiarity with the victim. The mechanism starts by open contact. You will receive a letter with a certain script that justifies your further actions to your e-mail or any messenger. In the worst case, you yourself give the right to another person access to your personal data, such as cards. The chain can be more complex – gaining access to any of your accounts, or to your email, the attacker begins to steal other passwords. This is not about pure cybernetics, but about psychology.
What might attacks look like?
- Phishing through a company employee. It is determined by the level of access, and, it seems, does not sound critical, because the activities of each employee in the company are segmented and understandable. But, having gained access to someone alone, the spy begins to creep on. Any system has its own chaos index, this is called the entropy approach. High entropy gives more chances to get further, following the available information flows.
- Phishing through the leader / founder / CEO. A powerful psychological technique for most authoritarian companies, where subordinates are used to obediently obeying the director. Sometimes fear exceeds common sense, and employees perform the actions indicated in the letter allegedly from the leader. Employees need to understand that clarification of strange orders is a necessity. And the leader should make sure that employees trust him.
- Phishing on social networks always works well. A good offer often has a chance to be viral (in the good sense of the word), because we care about our friends and relatives. Having heard about the free offer, or the opportunity to get a good discount, we are in a hurry to transfer the information further, often just sharing the link. Unique offers are often disguised as intruders. And social networks for them are a huge scope for action.
- Close in mechanism, but very different in content – attacks via mobile phones. Usually attackers have a limited number of phone numbers, and since the base is limited, you need to act clearly. Therefore, the messages that come to the phone from the category of “all for all” are simply win-win options.
Recognizing phishing is not so difficult. Firstly, it is almost always about urgency. If, when reading a letter, you feel that you are being pushed for quick and thoughtless actions, be alert. Letters of this nature often have errors, the links you know look different – they replaced the letter. Most importantly, you may be asked to leave your personal data, send an access password or provide such access to a third party. Of course, official companies will never do that.