Phishing: how to protect yourself and not fall for the scam

The volume of phishing attacks targeting people and companies in Brazil remains very high: out of every 5 Brazilian users, 1 is susceptible to phishing . Brazil is in 3rd place in the ranking of countries most attacked by phishing scams .

A report published by Cisco in 2019 found that 38% of respondents faced problems with Phishing in the last year.

A history of phishing

A regular Facebook user sees an ad in their feed for a Samsung 4K 58″ TV for R$999.00. Unmissable price. Americanas sale. He doesn't even consider evaluating whether the ad is from Americanas, because the colors, the logo, the writing are from Americanas, he already knows. And the ad is running on Facebook. So there is no time to waste, with this price there will soon be no more stock. In addition to a 58-inch TV, he will also have the satisfaction of having made an excellent deal. Unmissable opportunity. This entire analysis takes less than 5 seconds.

The user clicks on the ad and is now on the Americanas website. Again, he doesn't think about evaluating whether the website is from Americanas, because the colors, logo, everything is exactly as he already knows. The address of this website is https://www37.sucessodevendason*.com/tkn3025574/smart-tv-led-58-samsung-58mu6120-ultra-hd-4k[…] but that goes unnoticed. Maybe he saw the HTTPS padlock and felt safe. Blind man imagining this TV in his home, completes the purchase, informs the delivery address – anxiety is already starting to hit – and generates the invoice. The invoice states the beneficiary “Americanas.com – B2W Companhia Digital”. Show. So he opens the bank app, pays the bill and now the concern arises: how to control his anxiety until the doorbell rings with the wonderful package at his door.

Well, that time will not come.

This user fell for a phishing scam

Unfortunately he didn't pay attention to some aspects:

• Promotion with a very unusual price . I could have searched on Google and on sites like Zoom.com.br to find reasonable price ranges for that product.
• The address of the website that opened when you clicked on the ad . The domain that appeared in the browser's address bar had nothing to do with Americanas.com. This is a big sign of fraud.
• The name of the boleto beneficiary displayed by the bank's system before completing the payment . Before making the payment, the bank informs the real beneficiary of the registered bill, and it was certainly not Americanas or B2W (e-commerce group integrated by Americanas).
• Phishing protection technology . A security filter against phishing sites works as real-time protection against this type of internet threat. If there had been a phishing protection mechanism on the computer, on the cell phone, or on the entire network, access to the fraudulent website would probably have been blocked – despite the user's inattention when they fell for the scam.

What is Phishing

Phishing is a type of cybercrime that consists of deceiving internet users , through falsified messages and websites, to steal confidential information such as access passwords and credit card data, in addition to inducing, in some cases, the payment of fraudulent bills .

The most common form of phishing begins with an email with counterfeit content, pretending to be a well-known company and inducing the user to click on links that direct to the counterfeit website where the scam is completed. In many cases SMS messages are also used. Currently there are even more elaborate campaigns that, instead of spam email or SMS, transmit the “bait” to users through paid advertisements on social networks. The objective is always to deceive the user, using social engineering and pretending to be another person or another company, so that the user improperly provides confidential data or sends payments .

Jesse Burns, Technical Director of Security at Google Cloud, stated, in an October 2019 article for the Forbes website, that no one can recognize with complete consistency whether a web address (URL) is safe to click on . Even security experts cannot distinguish fake pages with complete confidence. All it takes is a little tiredness or stress and anyone can become a victim. According to him, protection against phishing requires the use of technology , as it is not enough to just train people.

The term phishing is an adaptation of the English word fishing , which means fishing.

Examples of Scam Facebook Ads

You can click on the images to view them in a new tab.

Step by step, falling for the scam and buying a smartphone

1. Fraudulent advertisement published on Facebook, offering a smartphone at a much lower price than normal.
   
2. After clicking on the ad, the user is directed to a “fake” e-commerce site, which perfectly imitates the Americanas website. See that the website address is different.
   
3. Clicking on Buy displays the product already in the e-commerce shopping cart.
   
4. Proceeding with the purchase, the fraudulent website requests the user's registration data.
   
5. The website asks the user to choose a payment method. In this example, boleto was selected.
   
6. After generating the invoice, the fake website displays the purchase confirmation, simulating the operation of the real website.
   
7. Fraudulent invoice that was generated on the phishing website. Note that the beneficiary field says “Americanas.com – B2W Companhia Digital” to deceive the user.
   

How to avoid Phishing scams?

Phishing protection is based on two main elements: user attention to detect signs of fraud; and phishing protection technology.

Internet users must be responsible for keeping their personal data and company data and information protected. The company manager is responsible for educating employees on good information security practices, as well as determining the implementation of technological resources to protect the network.

Pay attention to what the message or advertisement is offering or requesting

Be wary of emails, SMS or advertisements with product offers at much lower prices than normal. If in doubt, search for the normal price of products on Google or on sites like Zoom.com.br. Don't believe offers sent at an incredibly low price. Likewise, do not believe emails that ask you to respond with your webmail or bank username and password – for a supposed update necessary to keep the account active – this is fraud. Messages supposedly sent by the Federal Revenue Service informing about irregularities in the CPF are also fraudulent. Be wary of emails supposedly sent by the bank with a link to update the internet banking module. Don't trust emails with quotes, invoices or work orders that you never requested. And pay attention to the text of the message, it is very common for phishing messages to contain spelling errors.

Pay attention to the sender and the links contained in the messages

Pay attention carefully to the sender's email address and also the destination address of the links contained in the message. If they are strange, like “https://serwer1982897.home*.pl/pNPjj/[…]” in an email supposedly sent by Americanas, be suspicious immediately.

Pay attention to the website address

If you have clicked on a link or advertisement and been directed to a website containing a product to buy, a file to download or a form requesting data, pay close attention to the address that appears in the browser's address bar . That tip of checking if the site has an HTTPS lock (encryption) is no longer enough, as new phishing sites also use HTTPS. However, it is important to check whether the website address is correct. If in doubt, go to Google and search for the name of the company you want to access. For example, the Americanas website has the address https://www.americanas.com.br and it would not be acceptable to use a supposed Americanas website at addresses such as https://www242.ofertaexclusivadodia-liquida*.com, https:/ /www217.vai-rolar-festa-confira-as-novidades*.com, https://geladeirapromocao*.com or https://www212.apostoqueaquitemoquevocequer*.com (* placed to invalidate harmful links here in the article).

Technology for security and phishing protection

It is important to use antivirus on your computer. In the case of companies, it is increasingly important to also use systems such as firewall and internet access control applied throughout the company's network, regardless of the devices connected to the internal network. This measure adds a complementary layer of security, which reduces the risk of leakage and loss of company information and customer and employee data, avoiding major inconvenience and financial losses. Through an internet access control solution , it is also possible to define which category of website can be accessed by each user, avoiding waste with navigation outside the scope of work and also access to addresses with harmful content. Using this tool, the manager protects the network against websites used in phishing attacks, the spread of malware and ransomware .

In the video below we demonstrate how phishing received by email works, which pretends to be the PagSeguro payment service with the aim of stealing the victim's access data. First, access to the phishing site without protection is demonstrated. An attempt to access the phishing site is then demonstrated, but with Lumiun active on the company's network.

In this way, the video presents a comparison of the effectiveness of a Phishing attack on an unprotected network and another with security and protection technology.

If you have an additional tip about phishing or want to clarify any questions, leave your comment here on the article or write to me directly at alex@lumiun.com.