Skip to main content

São Paulo/SP – January 30, 2023. The term phishing comes from the English that means "capturing" confidential data, it is a practice that seeks to capture information from an individual / company.

*By Otavio Lima

Digital crime is a subject that has taken up a lot of space in the media, there are several types of cyber crimes embraced by the technique of social engineering, but the theme of this article is one in particular: phishing.

The term phishing comes from the English that means "capturing" confidential data, it is a practice that seeks to capture information from an individual / company. They are usually inviting content for victims to submit sensitive data such as, for example: CPF, email, bank details, text messages, among others, communication channels that allow the criminal to take advantage of this information.

Where does it come from?

The notifications involving phishing, can be any type of content that involves attracting the user through an action or providing information, whether personal or corporate. There are several categories of attack vectors, these usually work with calls, which allow the user to click on suspicious links, install malicious software or update some personal information.

What are the most common attack vectors?

Vector formats are increasingly realistic in fake content, to ensure the victim falls for the scam. Including adapting to the formats of communication media, increasing the possibilities of the attacker.

See some examples below:

  • smishing (phishing by SMS);
  • WhatsApp scams (coupons and fake websites);
  • Social networks (promoted posts, discounts);
  • Malicious links in Google AdWords (keyword search);
  • Conventional telephone calls (impersonating companies);
  • Fake domains (with ASCII codes and unicode characters from other languages).

Types of Phishing

In addition to knowing where the attacks of phishing It is important to know the main types, see below:

Types of Phishing
NameDescription
scamInducing the victim to leak sensitive data, usually through links or files
contaminated.
Blind PhishingI shoot random emails (with malicious content), where the user is expected to land.
Spear phishingThat phishing is tied to attacking a group
people specific.
clone phishingA scam that “fakes” a landing page or website,
this registration page may provide information
to the criminal.
WhalingIt aims to attack a victim with greater purchasing power, using the government or justice as a spokesperson.
vishingThey use voice mechanisms or calls to steal information from the individual.
PharmingDNS poisoning to target users on
Large scale.
smishingThrough SMS, this format delivers highly urgent messages, which cause immediate user action, leaking
information.

O Phishing in Latin America

According to the Threat Outlook kaspersky carried out in 2022 shows that Brazil registers more than 1.5 thousand scams with fraudulent messages (phishings) becoming the center of crime when it comes to cyber attacks.

The research also revealed the attack targets of these criminals: 27% seek to steal internet/mobile banking credentials, 22% aim to steal social network credentials, 18% steal online service credentials (online store, streams etc.), 9% use financial services themes to steal passwords, and 7% want payment data (credit card).

How companies are affected by this type of crime

A case reported by forbes in 2019, it was very prominent in this area. The great Toyota lost about US$37 million dollars, by a scam of phishing. Criminals managed to convince a financial authority by email, using the technique of social engineering, requesting an electronic transfer of funds, posing as a third-party company of Toyota. This is an example of how a company can fall into a scam phishing and jeopardize environments of secrecy.

In the case of companies, this process can be carried out by a collaborator who will have access to attractive content, as was the case with Toyota.

Below is a flow that summarizes the progress of the coup:

 

Phishing

How Businesses Get Hit by Phishing

But what to do to avoid falling into scams Phishing?

The main step in providing yourself with this event is to stay informed and attentive to any notification received. It is also interesting to invest in training focused on raising awareness or supporting teams that offer greater security for their employees.

To help you, read the list of best practices below:

  • Beware of sensationalist texts and too incredible offers;
  • WhatsApp scams (coupons and fake websites);
  • Avoid filling out registrations or sending information;
  • Invest in protecting credentials and passwords;
  • Use two-step authentication;
  • Use security and antivirus software;
  • Train staff and raise awareness.

Conclusion

Finally, we know that this problem is far from over, especially with the advancement of the internet and great technologies. Even in a simple way, these flaws can greatly harm the development of a company and generate financial losses and working on the concept of information and security is the best way to prevent it.

— Otavio Lima is a Cyber Security Consultant | RED TEAM at [SAFEWAY]

How can we help?

THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.

today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.

In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law SuitPeople and Technology.

through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!