Picture this: It is a normal day and your phone pings with a notification – a suspicious text or email from an address you have never come across previously. What does it say? Probably something along the lines of a colossal lottery that you have won through a lucky draw (which you never registered for), or a bank payment that is so long overdue that any minute, officials will be at your doorstep. Despite the diversity of content in such texts and emails, there is probably one similarity binding them: a request for personal details – from address to credit card numbers.
Right now, you are probably not picturing this scene but remembering an eerily similar incident that may have occurred with you, or someone you know. A colleague from ASPIRE team recently fell victim to this unfortunate situation. Despite her smart vigilance, the scammers managed to exploit her when her guard was momentarily lowered. She lost a significant amount of 10,000 AED from her card, and despite numerous attempts including calls, emails to the banks, a cyber-crime report, she was unable to recover the funds. This is one of the most common online scams to prevail in society: phishing.
Originating during the 1990s, phishing is an online scam that targets internet users for money and personal information. From sketchy chains of text to elaborately crafted emails, there is a wide spectrum of formats a scammer can utilize to target people, with the most common phishing scams being fake email alerts, links to dodgy websites, spoof bank emails, etc.
Who is vulnerable to this? Anybody with an internet connection and a bank account. Who is capable of carrying out a phishing scam? Anybody with an internet connection, bank account and some knowledge of the internet and hacking.
How it began
1983 is said to be the year the Internet was invented, and it did not take long for the practice of phishing to overtake computers. Believed to have begun in 1995, phishing scams began targeting AOL (America Online) users – millions of them. Initially, hackers and traders of pirated software used the Internet service provider to communicate and illegally release digital media files. The network become so notorious that they were named ‘The Scene’ or the Warez community.
Eventually, the group shifted gear and began conducting phishing attacks. Early phishing scams revolved around phishers stealing passwords of multiple users and utilizing algorithms to generate randomized credit card numbers. While this was more of a miss-than-hit system, they would strike gold once in a while, obtaining access to AOL accounts and allowing them to spam a wider network of users. Although this was nipped in the bud by AOL in 1995, phishing scams continued to evolve and the population of scammers continued expanding exponentially.
This led to what we know as modern-day phishing; sending messages to users under the guise of AOL agents and requesting for sensitive information. And more often than not, people fell prey to the scams, as nothing of this sort had ever been witnessed before. The number of scams proliferated to the extent, that the organization began displaying warnings on emails and instant messaging platforms, requesting users to prevent disclosing such information.
The incredible variety
Surprisingly, there is no singular method of carrying out a phishing attack – there are multiple avenues phishers utilize. Some of the most common avenues are often so simple, yet highly effective in squeezing important information and money from victims.
Deceptive Phishing: The most common form of phishing and vastly similar to AOL scams. Wherein users receive emails from legitimate-looking senders (individuals or organizations) and are robbed of personal data or login credentials.
Spear Phishing: Consider this a more sophisticated and singular form of deceptive phishing. Here, phishers target a single person and customize their attack emails with highly specific information about their target to seem legitimate. All it takes is a single click on a malicious link.
Vishing: Instead of emails, vishing occurs over the phone. Scammers will impersonate an entity known to their target and attempt to extract personal details. Think of the YouTube videos wherein techies interact with scammers over calls to expose them. The scammers are probably carrying out a vishing attack.
Smishing: No platform is phishing-free. Smishing involves the dispatch of malicious messages that encourage targets to click on the link, thereby giving full access to one’s phone to scammers.
While this list is simply a scratch on the surface, it all pertains to the digital literacy level of each Internet user. But today, even the most Internet-savvy being may be at risk of being phished, as these attacks are not only growing but becoming eerily sophisticated by the day.
A 2022 Verizon Data Breach Investigations Report stated that throughout the year, 75% of social engineering attacks in North America involved phishing, with over 33 million accounts targeted. An ongoing study by IT support services organization AAG noted that as of July 2023, approximately 3.4 billion spam emails are dispatched per day. Despite the staggering statistics, a bulk of such emails are sent from several countries infamous for Internet scams, including Ghana, Nigeria, India, Russia, the Philippines and the US.
And as newer platforms emerge, phishers receive newer avenues and a wider range of users to target. News website ZDNET took a deep dive into the sophistication of phishing attacks – wherein phishers have integrated methods such as trust-building, remote access control and personalizing their interactions with victims, along with the age-old malicious links and spam content. With AI and chatbots achieving an uncanny resemblance to human speech, scammers have additional arsenal for their attacks.
With remote access control (RAC), there has been a rise in calls from “tech support representatives”, who often target people of the gen-z and millennial age bracket. Posing as agents of a bank, service provider company or organization the target is familiar with, scammers request for RAC of the target’s device to ‘help’ them with a task – be it checking their bank account or logging into a portal. If given access, scammers may steal information, install malware or even hold someone’s data for ransom.
ZDNET also revealed how scammers are becoming more patient with big-ticket targets and dedicating time to cultivate a legitimate online personality and forging trust with their target. A common example of this is dating apps, where victims are catfished and duped for money. It does not help that scammers are becoming increasingly tech-savvy and crafting duplicitously real online personas.
Such scams often involve social engineering; psychological manipulation of people into revealing confidential information. Be it providing information to claim a time-bound cash prize or helping an online friend who urgently requires money – the manipulation of victims is key to carrying out a successful phishing attack.
So, if it is exceedingly simple for a phisher to con people through multiple avenues, how are you supposed to remain unscathed by spam emails and calls?
The Role of the Government
The government of Dubai has taken a number of measures to combat phishing, including:
Enacting a cybercrime law: The Federal Decree-Law No. 5 of 2012 on Combatting Cybercrimes (as amended) criminalizes a wide range of cybercrimes, including phishing. The law provides for stiff penalties for offenders, including imprisonment and fines.
Establishing a cybercrime unit: The Dubai Police has established a cybercrime unit to investigate and prosecute cybercrimes, including phishing. The unit has a team of experienced cybercrime investigators who are well-versed in the latest phishing techniques.
Raising public awareness: The Dubai government has launched a number of public awareness campaigns to educate residents about phishing and how to protect themselves from it. These campaigns have been conducted through a variety of channels, including print, radio, television, and social media.
Working with banks and other financial institutions: The Dubai government has worked with banks and other financial institutions to implement security measures to protect their customers from phishing attacks. These measures include using two-factor authentication and educating staff about phishing.
Stay Off the Hook
Besides the governing bodies, several Tech and IT companies globally have joined forces to educate Internet users on phishing and likewise scams but more importantly, how to stay off the treacherous hooks of scammers. Many websites have dedicated entire web pages that provide updated information about online scams and tips to keep in mind each time you log onto a device. Some of the most common yet effective methods are listed below.
Think Before the Click: Scammers go to great lengths to craft legitimate websites for their targets. However, if you receive an email requesting a click, think twice. Visit the real website of the organization, check the URL and hover over the link before clicking.
Urgent Messages: More often than not, urgent messages from both known and unknown senders may confuse users. Be it an overdue payment, a shipping issue or an account confirmation – scammers are likely to send emails or text messages to targets. Rather than clicking on the links, call the authorised organization hotline to remain safe.
Grammar Check: Although AI has made things easier for scammers, many of their emails and text messages will be riddled with grammatical, sentence structure and spelling errors. This is probably the most quickfire way of identifying whether a message is from a reputable source, or not.
Firewalls and Anti-Phishing Software: A boon to Internet users, firewalls and anti-phishing software provide a much-required shield from phishers. While anti-phishing software and toolbars will alert you upon visiting a malicious site, firewalls can be installed on your desktop and tremendously reduce the odds of phishers and hackers infiltrating your computer or network.
Personal Information: Now this might be slightly tricky territory, considering that our personal information is often put up for the world to access, from our home address and phone number to email address and bank details. However, it is always wise to prevent sharing sensitive financial information online. When in doubt, always contact the authorised personnel of an organization.
Update Yourself!: No, do not pore through websites and attempt to absorb every single detail about phishing. An eye on the news and several trusted sources will be all the knowledge you need to arm yourself against future phishers.
Although the Internet is brimming with unscrupulous phishers, a little bit of common sense and knowledge will aid you in maintaining a tight ship.
Stay vigilant and stay safe!