The email may seem genuine and it's hard to resist clicking the attached link: a package being held at customs, a notice from the bank of a VISA charge, a prize notification…
Phishing
cyberattacks have become In a real plague that takes advantage of the weakest link in the chain: the human.
The basis of this scam technique lies in deception.
They create emails or SMS that look almost identical to the company they're trying to impersonate, and if your guard is lowered, it's tempting to click the link or open the attachment.
These types of communications usually urge the recipient to carry out one of these two actions;
the first to obtain data from your credit card or checking account, while the second, to introduce some type of malicious software into the system.
Artificial intelligence will trigger attacks
Prospects are not good, moreover, with regard to the volume and precision of phishing attacks: "Advances in artificial intelligence will cause a frenzy of identity theft," explains Francisco Arnau, Akamai's regional vice president for EL PAÍS. Spain and Portugal, "Looking forward, we can expect that continued advances in artificial intelligence, such as those seen in systems like GPT-3, will make targeted phishing more compelling, more scalable, and common."
These systems allow for the generation of “millions of email or SMS messages, each personalized for an individual recipient, and each with compelling human-like qualities,” Arnau explains.
This characteristic will make them difficult to detect by current protection technologies.
This will pose a significant challenge to existing anti-phishing technologies, and "make it much more difficult for people to detect suspicious communications."
How to protect yourself against a phishing attack
The first thing to understand is that anyone can be the victim of a cyberattack of these characteristics.
These automated attacks do not distinguish between individuals or companies, and are launched en masse with devastating consequences if the recipient falls for it.
Image of a pop-up window of a possible phising.Jose Mendiola.
The figures are overwhelming: it is estimated that some 15,000 million emails of these characteristics are sent every day, of which a third are opened by the recipient.
This technique is responsible, on the other hand, for 90% of the security breaches that occur in the world, and as we have pointed out, the human element is what promotes its success.
How can one protect oneself against a phishing attack?
Mistrust, that great ally
"When you receive a very tempting offer, it is better to be suspicious," explains Fernando Suárez, president of the General Council of Official Colleges of Computer Engineering.
This expert appeals to the most important protection barrier and that can save the user from serious consequences.
“A bank will never ask us to change the password by sending an email and clicking a link,” he explains.
Kevin Mitnick, a well-known former hacker, explains to EL PAÍS that, by default, "people tend to trust unless they have been victims of a cyberattack or have been educated about the threat of phishing."
Never click a link and verify the attachment with the sender
Already counting on distrust and suspicion as weapons, as we have previously indicated, any attack using the phishing technique has two fundamental actors: a hyperlink or an attachment.
Do not forget that hackers want to obtain valuable information from the recipient to empty their checking account or credit card, or install malware with even worse intentions.
“If we receive a hyperlink and we doubt it, it is better to type the URL of the company that asks us by hand in the browser,” says Suárez, referring to the fact that, in general, these links are maliciously manipulated.
The general rule, in any case, should be never to click on a link that comes to us by email or open attachments.
For the latter, "it costs nothing to contact the sender by other means" to verify the origin of the attachment;
that is, a call, a WhatsApp or a text message, never respond to that email.
Keep an eye on the 'From' in emails
Cyber attackers are becoming more sophisticated when it comes to crafting emails, but they can't always fully camouflage them.
In this sense, one way to discover deception lies in the domain from which it is written.
Thus, if we come across senders whose domains are “Microsoft-support.com” or “Apple-support.com” (with additions that are different from the original domain), we will know that we are victims of an attack.
In any case and when in doubt, it is best not to interact with that email.
The same is applicable to SMS.
"Phishing attacks have spread to text messages," warns Suárez, who warns of an additional danger: "on mobile phones, we are less cautious than on computers and we act more impulsively."
Parcel companies are collateral victims of cyberattacks, especially at times of high volume of shipments such as Christmas.
An apparently, for example, message from the Post Office, demanding the payment of a customs fee, will hide a cyberattack: "a bank or other large entity will never demand immediate payment via mobile phone," explains Suárez.
And the problem is not the payment itself —generally low-volume—, but that when making it, the user gives his credit card information to the scammers.
What time was the message sent?
Mitnick's experience in this matter is invaluable, and this expert gives a clue that can help identify
phishing
: the time of delivery.
If someone who lives in Spain receives an email demanding a payment or a response and the shipment has been made at dawn, it is a fundamental element to arouse suspicion.
In general, Internet users relate to environments in the same time zone, so communication outside of it should trigger alerts.
In the same way, the 'subject' field can be a good indicator of the intent of the email: Is the language used familiar?
Do they talk to you about you when, in general, you are addressed by familiar names?
Do they address you with the email address?
Likewise, if the subject field shows a "RE:" indicating a response to an email that has never been sent, we will be facing another camouflage technique for cyber attackers.
Beware of 'quick, reply!'
Another of the techniques that hackers use when carrying out a cyber attack is to create a sense of urgency.
This is evident with the messages received from supposed parcel companies, in which they warn that there are a few hours to pay the fee or the package will be returned.
In general, it is not usual for a large entity to communicate via email urging a response and if that is the case, it is always advisable to contact that company by another means to verify the veracity of the shipment.
The maxim should be "never click or enter our username and password in a conversation that we have not started, a simple rule that everyone should apply," explains Mitnick.
You can follow
EL PAÍS TECNOLOGÍA
on
and
or sign up here to receive our
weekly newsletter
.