Monday, 17 february 2020 | Redacción CEU
Have you ever heard about "social engineering"? Behind this bombastic name lies what in the field of cybersecurity is a mere attack based on the abuse of users’ good faith. Cybercriminals who resort to it sharpen their wits in order to deceive and manipulate their victims so that they click on their links to fake websites, download files that infect their computers or reveal confidential information. This last goal is what "phishing" pursues: the theft of personal data like information about our bank accounts or access credentials. That is the reason why banking is precisely one of the sectors which is most affected by this fraudulent formula. What should you keep in mind in order not to fall into the trap of this kind of phishing?
Phishing is one of the most common attacks within the cybercrime world. When we talk about these attacks, we refer to a type of scam that deceives by means of a bait. Conventionally, the hook is placed in the form of a message which is sent via mail, but it can also be hidden behind other "costumes" on social networking sites, phone calls or text messages. If users normally fall into the trap it is because the appearance of these communications is really convincing.
Another form of phishing affects the websites of innocent users. Cybercriminals find security failures on websites in such a way that they can use them to impersonate other websites and send deceitful messages that work as a bait (the kind of phishing attacks that we mentioned above). The owners of these websites, as well as the companies that are copied and supplanted, become collateral victims of these attacks. Suffering an assault like this may seriously affect their reputation and might also lead to a considerable loss of sales.
What do the attacks that impersonate banks look like?
In the case of the phishing attacks that have as a target banks’ customers, their victims receive a message that asks them to take some type of action related to their banking or personal data. Frequently, they consist of mails that supplant the identity of their banks and ask them to urgently update data like their passwords for accessing their digital banks. In these messages, they usually find a link to a website that they must visit to perform the operation. When they click on it, they will access a web that is similar to that of their banks. This is something that lead them to trusting it.
In order to encourage them to react to these messages in an impulsive way, they urge users to carry out the operation immediately, under the threat of deactivating their accounts if they do not do so. The victims of this deception introduce their data on the website without noticing that they are directly giving their data to their scammers.
One of the last banks in being supplanted was BBVA. However, this is not the only one. Last year, The Spanish User Security Observatory also detected fraudulent campaigns that used entities like Bankia, Caja Rural and ING as baits. In 2019, cybercriminals also supplanted companies such as Endesa, Netflix, Paypal and Correos.
These attacks are more frequent than it may seem at first. According to a report carried out by Kaspersky Lab, one out of five phishing attacks are aimed at banks (21.7%). This is a figure that by itself does not say anything, but that is very significant if we consider that Spain is one of the top-ten countries with more users affected by phishing attacks. Likewise, it is noteworthy that the interest of cybercriminals in the financial sector is growing. They are focusing on goals such as investment applications and payment access to banking infrastructures, and are also working on the design of ransomware attacks on banks and the development of mobile banking’s trojans.