Phishing

There are many types of phishing.

How many times will it have happened to us to receive an e-mail or text message of this type: “Congratulations, you have won the new iPhone, click here to find out how to collect it”, inviting us to click on a link. It also happens often to receive e-mails apparently from one’s bank that, reporting registration or other problems, invites to provide one’s access data or change the pin code of one’s card.

These are real scams known as phishing, implemented through particular methods, and having specific targets. Phishing takes the form of the activity of a malicious user (the phisher) who, through technological means and social engineering techniques, attempts to deceive a target user to steal data and information, obtain unjustified payments, and/or install viruses and malware.

Defending against this type of scam requires knowledge and recognition of the different types of phishing, as well as equipping oneself with appropriate prevention tools and being aware of the remedies that can be used.

How many times will it have happened to us to receive an e-mail or text message of this type: “Congratulations, you have won the new iPhone, click here to find out how to collect it”, inviting us to click on a link. It also happens often to receive e-mails apparently from one’s bank that, reporting registration or other problems, invites to provide one’s access data or change the pin code of one’s card.

These are real scams known as phishing, implemented through particular methods, and having specific targets. Phishing takes the form of the activity of a malicious user (the phisher) who, through technological means and social engineering techniques, attempts to deceive a target user to steal data and information, obtain unjustified payments, and/or install viruses and malware.

Defending against this type of scam requires knowledge and recognition of the different types of phishing, as well as equipping oneself with appropriate prevention tools and being aware of the remedies that can be used.

 

The different types of phishing 

The existing types of phishing are many:

Means Description
E-mail This is the most common phishing tool. Obtaining the recipient’s e-mail address is, in fact, quite easy (think of how often each of us uses it to register on websites and applications).
It is accompanied by a link or malicious attachments.
SMS In this case, it is called SMishing. This is an increasingly frequent type of phishing, given everyone’s continued use and familiarity with their phone. It is accompanied by a link.
Website It is a tool often used in connection with others (reachable through a link in an email or text message), but it can happen that there are existing websites on specially registered domains to directly confuse web users. A space to enter credentials is usually present. It often happens that directions and tools for making payments are included. It may contain malware and self-executing code.
Phone Calls The call allows the malicious user to simulate the existence of a call center and steal personal or other confidential information.
Codice QR It is a tool that has spread rapidly in recent years and, for this reason, it’s increasingly used by malicious users. The nature of the QR code has several advantages for the phisher. There is no way, in fact, to know which virtual environment you end up in before you frame the QR code with your smartphone. Typically, fake QR codes are placed in parking areas, inviting the user to scan the code to pay for parking through a (fake) site, specially created.

 

Moreover, one must consider the different techniques used by the phisher to deceive the recipient. Each technique involves different strategies and methods that increase or decrease the risk of being deceived.

Technique Mode Examples Risk
Spear Phishing

The phisher pretends to be an entity known to the recipient. The attack is direct and designed for a single recipient or a specific group of recipients. Spear phishing is also referred to as “whaling” when the recipients are high/very high-profile individuals with high degree access or resources.

Usually, this technique is used in email phishing.

The malicious user:

  • uses email addresses that are very similar to those of the (fake) sender;
  • uses logos, images and branding similar (if not identical) to those of the fake sender;
  • uses language and tone similar to those of the fake sender;
  • represents technical, registration or other problems to justify the email.
The phisher usually pretends to be:

  • the bank where the recipient has an account
  • an institution or entity with which the recipient has a relationship
  • a colleague
  • an employee or superior
  • a family member or friend

Typically, the phisher’s message is justified by a technical or registration problem such that, for example, the bank requires you to enter your credentials or provide your credit card pin.

HIGH
Clone phishing
The malicious user creates a nearly identical copy of a legitimate message already received by the recipient and sends it again, including malicious elements.
The attack is specific to a single recipient.
The malicious user:

  • uses email addresses very similar to those of the (fake) sender;
  • leaves (substantially) unchanged the body and text of the email, including logos and images;
  • modifies elements of the email in a way that is not immediately noticeable, making them malicious.
Typically, the phisher modifies links and attachments by claiming that they are an updated version, thus hiding malicious tools.
Alternatively, it may insert himself into an established relationship (e.g., between a superior and an employee, regarding frequent payment orders) by entering different bank details.
High / Very high
Routine activity phishing

The malicious attacker asks the recipient to perform an activity (typically a payment) that the recipient is accustomed to doing. The phisher does not necessarily know the recipients.

This technique can exploit different means and combines additional techniques.
The phisher:

  • pretends to be an individual who routinely recurs in the recipient’s life or whom the recipient does not find suspicious
  • uses credible names, logos, images, and trademarks
An example is the technique of paying for parking via QR code that leads back to a fictitious site.
Alternatively, the user can pretend to be an institutional entity (e.g., the message from the (fake) Ministry of Health informing of the suspension of the recipient’s “green pass“) or an entity offering recurring services asking for confirmations and payments.
Medium / High
Prize & package phishing
The malicious user informs the sender that the latter is entitled to obtain something. The attack is general and impersonal, typically the phisher does not know the recipients.
The malicious user:

  • uses banners or notices on Web sites, which attract the recipient’s attention;
  • requires the recipient to take a specific action to gain an advantage;
  • informs the recipient of any problems justifying the action to be taken.
  • Promises promotions and offers.
Very frequently, the phisher sends emails informing the recipient that he or she has won a prize that can collect, upon confirmation of identity, by clicking on a specific link.
Often, messages are sent from (fake) shippers indicating that the recipient needs to pick up a package, confirming the willingness to proceed via a specific link.
Medium / Low

 

The last element of phishing is the target of the malicious user. In fact, the phisher may want to obtain certain information or require certain behaviors from the recipient. Depending on what the malicious user wants to obtain, he will act and set up the scam differently.