Phishing: How to protect yourself and avoid falling for the scam

The volume of phishing attacks targeting individuals and businesses in Brazil remains very high: 1 in 5 Brazilian users is susceptible to phishing . Brazil ranks 3rd in the list of countries most attacked by phishing scams .

A report published by Cisco in 2019 indicated that 38% of respondents had experienced problems with phishing in the past year.

A story about phishing

A regular Facebook user sees an ad in their feed for a 58″ Samsung 4K TV for R$ 999.00. An unbeatable price. Americanas clearance sale. They don't even consider checking if the ad is actually from Americanas, because the colors, the logo, the text—they already know Americanas. And the ad is running on Facebook. Therefore, there's no time to lose; at that price, it will soon be out of stock. Besides a 58-inch TV, they'll also have the satisfaction of having made an excellent deal. An unmissable opportunity. This entire analysis takes less than 5 seconds.

The user clicks on the ad and is now on the Americanas website. Again, they don't think to check if the site is actually Americanas's, because the colors, logo, everything is exactly as they already know it. The address of this site is https://www37.sucessodevendason*.com/tkn3025574/smart-tv-led-58-samsung-58mu6120-ultra-hd-4k[…] but this goes unnoticed. Maybe they saw the HTTPS padlock and felt secure. Blindly imagining this TV in their home, they complete the purchase, enter the delivery address – the anxiety is already starting to kick in – and generate the payment slip. The payment slip shows the beneficiary as “Americanas.com – B2W Companhia Digital”. Great. Then they open their bank app, pay the slip, and now the worry arises: how to control the anxiety until the doorbell rings with the wonderful package at their door.

Well, that time will never come.

This user fell victim to a phishing scam

Unfortunately, he didn't pay attention to certain aspects:

• This promotion has a price that's way out of line . They could have searched on Google and sites like Zoom.com.br to find reasonable price ranges for that product.
• The website address that opened when you clicked on the ad . The domain that appeared in the browser's address bar had nothing to do with Americanas.com. This is a strong indication of fraud.
• The name of the beneficiary of the payment slip displayed by the bank's system before completing the payment . Before the payment is finalized, the bank informs the actual beneficiary of the registered payment slip, and it certainly wasn't Americanas or B2W (an e-commerce group integrated by Americanas).
• Phishing protection technology . A security filter against phishing websites acts as real-time protection against this type of internet threat. If there were a phishing protection mechanism on the computer, mobile phone, or even the entire network, access to the fraudulent website would likely have been blocked – despite the user's inattention at the moment they fell for the scam.

What is Phishing?

Phishing is a type of cybercrime that involves deceiving internet users through fake messages and websites to steal confidential information such as passwords and credit card details, and in some cases, inducing them to pay fraudulent bills .

The most common type of phishing begins with an email containing falsified content, impersonating a well-known company and inducing the user to click on links that lead to a fake website where the scam is completed. In many cases, SMS messages are also used. Currently, there are even more elaborate campaigns that, instead of spam emails or SMS, transmit the "bait" to users through paid advertisements on social networks. The goal is always to deceive the user, using social engineering and impersonating another person or company, so that the user improperly provides confidential data or sends payments .

Jesse Burns, Technical Director of Security at Google Cloud, stated in an October 2019 article for Forbes that no one can consistently recognize whether a web address (URL) is safe to click . Even security experts cannot distinguish fake pages with complete confidence. A little fatigue or stress is all it takes for anyone to become a victim. According to him, protection against phishing requires the use of technology , as simply training people is not enough.

The term phishing is an adaptation of the English word fishing .

Examples of fraudulent ads on Facebook

You can click on the images to view them in a new tab.

Step-by-step account of falling for a scam and buying a smartphone

1. A fraudulent advertisement posted on Facebook offered a smartphone at a price far below the normal price.
   
2. After clicking on the ad, the user is redirected to a fake e-commerce website that perfectly mimics the Americanas website. Note that the website address is different.
   
3. By clicking on "Buy," the product is displayed in the e-commerce shopping cart.
   
4. As the purchase process continues, the fraudulent website requests the user's registration information.
   
5. The website prompts the user to choose a payment method. In this example, a bank slip was selected.
   
6. After generating the payment slip, the fake website displays a purchase confirmation, mimicking the functionality of the real website.
   
7. This is a fraudulent payment slip that was generated on a phishing website. Note that the beneficiary field shows "Americanas.com – B2W Companhia Digital" to deceive the user.
   

How to avoid phishing scams?

Protection against phishing relies on two main elements: user vigilance in detecting signs of fraud; and phishing protection technology.

Internet users have a responsibility to protect their personal data as well as company data and information. It is the company manager's responsibility to educate employees on best practices for information security, as well as to implement technological resources to protect the network.

Pay attention to what the message or advertisement is offering or requesting

Be wary of emails, SMS messages, or advertisements offering products at prices far below normal. If in doubt, research the normal price of products on Google or on websites like Zoom.com.br. Don't believe offers sent with incredibly low prices. Similarly, don't believe emails that ask you to reply with your webmail or bank username and password – for a supposed update needed to keep the account active – this is fraud. Messages supposedly sent by the Federal Revenue Service informing about irregularities in your CPF (Brazilian taxpayer ID) are also fraudulent. Be suspicious of emails supposedly sent by your bank with a link to update your internet banking module. Don't believe emails with quotes, invoices, or service orders that you never requested. And pay attention to the text of the message; it's very common for phishing messages to contain spelling errors.

Pay attention to the sender and the links contained in the messages

Pay close attention to the sender's email address and also the destination addresses of the links contained in the message. If they are strange, such as “https://serwer1982897.home*.pl/pNPjj/[…]” in an email supposedly sent by Americanas, be immediately suspicious.

Pay attention to the website address

If you clicked on a link or ad and were directed to a website containing a product to buy, a file to download, or a form requesting data, pay close attention to the address that appears in your browser's address bar . The tip about checking if the site has the HTTPS padlock (encryption) is no longer sufficient, as newer phishing sites also use HTTPS. However, it's important to check if the website address is correct. If in doubt, access Google and search for the name of the company you want to access. For example, the Americanas website has the address https://www.americanas.com.br and it would not be acceptable to use a supposed Americanas website at addresses such as https://www242.ofertaexclusivadodia-liquida*.com, https://www217.vai-rolar-festa-confira-as-novidades*.com, https://geladeirapromocao*.com or https://www212.apostoqueaquitemoquevocequer*.com (* added to invalidate harmful links here in the article).

Technology for security and protection against phishing

It's important to use antivirus software on your computer. For businesses, it's increasingly relevant to also use systems like firewalls and internet access control applied across the entire company network, regardless of the devices connected to the internal network. This measure adds a complementary layer of security, reducing the risk of leaks and loss of company information and customer and employee data, preventing major disruptions and financial losses. Through an internet access control solution , it's also possible to define which categories of websites each user can access, avoiding wasted time browsing outside the scope of work and accessing websites with harmful content. Using this tool, the manager protects the network against websites used in phishing attacks, malware propagation, and ransomware .

In the video below, we demonstrate how a phishing email, impersonating the PagSeguro payment service, works in order to steal the victim's login data. First, we show access to the phishing site without protection. Then, we show an attempt to access the phishing site with Lumiun active on the company's network.

In this way, the video presents a comparison of the effectiveness of a phishing attack on an unprotected network and another with security and protection technology.

If you have any additional tips about phishing or would like to clarify any doubts, leave your comment here in the article or write to me directly at alex@lumiun.com.