Piotr Nasilowski in front of a PC

Consultant’s corner: Cybersecurity in the age of phishing – how you get tricked

Cybersecurity: Freelance consultant Piotr Nasilowski received a strange yet tempting email that almost made the skilled cybersecurity specialist give into temptation. Fortunately, he realised the email was too good to be true, and it revealed that an expert is also susceptible to cybercrimes.

In this article, Piotr Nasilowski describes how vulnerable we all are to internet scams. He points out dangerous phishing techniques we all should be aware of and shares his best advice on how to avoid being a victim of cybercrime.

By Piotr Nasiłowski – Business Cyber Security Consultant

Welcome to the Consultant’s Corner series, a blog for independent IT freelancers. Here you can find out what fellow high-end IT consultants are up to in their current or recent projects. Read about trending technologies, and get inspiration from the freelance journey of other like-minded IT professionals.

In May 2021, I found a bizarre email in my mailbox – the Director of the National Centre of Cyberspace Security demanded that I confirm my readiness to be enlisted in the Cyber Army. The message contained a direct link to the enlistment form to this unit.

The scratching of my head and wrinkling of my eyebrows turned into laughter only a moment later, reading that the situation was dramatic because "now only thanks to the supply of electricity from Germany and Sweden our country can function". It was so improbable that I could not take it seriously. Or not?

Since I am a Cyber Security Expert – and I was sure that I had not been called up to the cyber army – instead, I realised I had become the target of a campaign to defraud me of my data.

It got me thinking: a majority of internet users do not have the expertise in cybersecurity. But by building awareness of cyber threats, everyone can fight cybercriminals every day. What is more – everyone should fight them.

In other words: by using the web, we all have been called up to the cyber army.

The rod and the bait – meet phishing

The scam described above is called phishing (derived from "fishing" = catching fish) and is a prevalent form of cyberattack. It uses electronic mail, Instagram, Facebook or Twitter but also text messages and phone calls.

Phishing aims to mislead a recipient to achieve certain benefits. The scammer uses personal data, access to a bank account, a computer, or confidential information if the user stores it on the workstation.

  • The fishing rod is the communication channel (e.g. email, text message)
  • The bait is the manipulative message
  • The catch is the information that provides the cybercriminal with specific benefits such as access to a bank account, a government institution, confidential corporate information.

Phishing messages are crafted with a lot of care to look as much like actual correspondence from a trusted sender as possible. Phishing emails addressed to the mailboxes of employees in public institutions or corporations are especially critical. They may compromise data not only of an individual but also the work of the entire organisation.

Spear phishing

Another category of attacks is spear phishing, by targeting specific organisations or employees at particular positions.
Such messages are created with the use of social engineering techniques.

It is not uncommon for scammers to perform surveillance on the Internet about the person or the specific position at which the person works.

Whaling

Whaling, or hunting for a "whale" or "big fish", is a separate category of phishing.

"Big fish" are CEOs of large corporations, senior executives and similar persons at high-level positions. Messages crafted for whaling require much more effort from a cybercriminal than phishing addressed to random users.

People at high-level positions are more widely educated, intelligent, and well-read, making it harder to trick them.

CEO fraud

Although the situations in which cybercriminals are successful in whaling are infrequent, often only one click per tens of thousands of emails is enough for the company to suffer millions of dollars in losses.

The same applies to a category of phishing known as CEO fraud. The criminal impersonates a superior in order, for example, to instruct a bank employee to make a transfer to a designated account.

Clone phishing

An exciting and treacherous case is also clone phishing.

This type of attack is usually preceded by breaking into and stealing company resources through an original, previously sent email (including the list of recipients and an attachment or link) replaced with a malicious one and then resent.

Clone phishing is one of the most dangerous attacks because it is hard to differentiate it from genuine emails.

You receive communication which content you know well because you usually receive several of them during the day. And without thinking, you click a link.

However, the link does not lead to the familiar website; instead, you have become a victim of a phishing attack. And malware will probably be installed on your workstation by the scammers.

{   ... Clone phishing is one of the most dangerous attacks because it is hard to differentiate it from genuine emails. ...   }

Vishing and Smishing

Not only electronic mail can be a communication channel for phishing scammers.

With voice phishing (vishing), the attack occurs through the automatic dialling of many telephone numbers. It will play a previously prepared recording, providing false information about an unauthorised transaction from their account and the like.

It is dangerous as the telephone number is consistent with the number assigned to the bank's hotline. And a voice message tells us to call the phone number to resolve the problem. You will connect to a scammer who will trick you into accessing your bank account.

With SMS phishing (smishing), the scammers ask the user in the text message to contact a specific phone number, click a link or write an email to a specified address. Then the whole process of social engineering and phishing occurs.

Page hijacking

Slightly less common - and one of the most dangerous phishing attacks - is page hijacking. This includes manipulation of the content of an existing website to steal user data.

The website you usually use appears normal, but when you enter it, you automatically download malware, and the attacker may steal data from your workstation.

There is a particular method used by Internet scammers – manipulation of the domain names. The scammer changes just one letter in the URLs, and everything looks all right at first glance, e.g. onlne.mbank.pl instead of online.mbank.pl.

It is easy to overlook such a typo; thus, browsing a fake domain and entering your online account login information can be disastrous.

Piotr Nasiłowski

Piotr Nasiłowski: We need to stay alert and by using the web - "we have all been called up to the cyber army".

How not to take the bait

{  ... Everyone thinks that they will not be deceived. "I am not so stupid", "I can see that this is a scam" – there is nothing more wrong. But Internet criminals create new attack methods every day.   }

I recently came across the news about a very clever credit card phishing campaign on the OLX platform – I recommend reading this article: What does OLX scam victim feel? (In Polish). As the victim says, "I thought no one could deceive me, but I have still been scammed".

The victims of phishing attacks are not only the elderly who are not online savvy due to the generational gap. Nor are these uneducated people.

Sometimes it is enough not to act automatically: not to read carefully, look carefully, or click something affected by emotions or haste. That is why you should always take a bit more time reading carefully all the posts that arrive in your inboxes.

9 bits of advice on how to avoid Internet scam

Piotr Nasiłowski

Qualified: Piotr Nasiłowski is a certified Business Cyber Security Consultant and coordinator with six years of professional track record in the field.

Despite more or less effective anti-spam filters existing in every electronic mail service, the advice presented below should be a routine for everyone:

Check carefully every email address from which you received a message: you can use a simple Google search to check if the address is associated with a given institution which it claims to be, or contact the hotline of a given institution.

ALWAYS forward emails and text messages from the people impersonating an institution to those institutions.

Do not open links to websites if the URL address looks suspicious. Take special note if the correspondence seems credible, but the sender is from an unknown address.

Read the contents of the email, text message very carefully. Clarify the situation with the institution's reliable communication channels (like the official hotline or email), regardless of the sender's address.

Check the correctness of Polish/English or another language in the message. Official messages from institutions, organisations, companies, corporations rarely have typos.

Confirm with your superior if the instruction they gave seems unusual, necessarily by other communication channels. In other words: when you receive an email in which your superior instructs you to do something extraordinary – call them.

Be up to date with the privacy policy of your bank, electricity provider, telecommunication services provider. No institution will ever ask for login information over the phone or email, no matter how trustworthy the call sounds or how professional the email looks.

Never give your credit card details when someone wants to transfer money to you. When someone has card details, they may withdraw money from it.

Show a suspicious message to someone else – your colleague from the office or the superior, and if this is a private message – someone close to you. Many phishing attacks have been thwarted just by having a third person look at a potentially dangerous message.

– with a soldier’s salute,

Piotr Nasiłowski

 

{

 ... Sometimes it's enough to not act automatically: not to read carefully, look carefully, or click something affected by emotions or haste. That is why you should always take a bit more time to read the posts that arrive in your inbox more carefully.

}

Piotr Nasiłowski

Piotr Nasiłowski

Piotr Nasiłowski is a certified Business Cyber Security Consultant with six years of professional track record in the field, and assignments via ProData Consult.

He is very experienced within ITIL, Cyber Security, Vulnerability Management, IBM QRadar SIEM, Nessus, SQL, Atlassian Confluence and SIEM.

Piotr Nasiłowski has studied at Warsaw University of Life Sciences, where he has a bachelor in Finance (2012) and a master from Warsaw School of Economics in Management (2014). Furthermore, he has completed postgraduate courses at Warsaw University of Technology in Telecommunication Engineering and Data Protection in IT Systems.